Edit tour

Windows Analysis Report
prlsqnzspl.exe

Overview

General Information

Sample name:	prlsqnzspl.exe renamed because original name is a hash value
Original sample name:	77748f838ead05509df44e987d7c3bc262483069717e53a9d18626ae245a7c0d.exe
Analysis ID:	1588772
MD5:	2a7a83cba1dd7049fdda5733e0dc2a15
SHA1:	9ed30c2b01a43c2019ef323cc260c906c8bd937c
SHA256:	77748f838ead05509df44e987d7c3bc262483069717e53a9d18626ae245a7c0d
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contain functionality to detect virtual machines

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

prlsqnzspl.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\prlsqnzspl.exe" MD5: 2A7A83CBA1DD7049FDDA5733E0DC2A15)

RegSvcs.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\prlsqnzspl.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7936461705:AAHcZGbxyAiYCbyX-HScrXbdJ1wtayV7uik", "Telegram Chatid": "7459285950"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13651:$a3: \Google\Chrome\User Data\Default\Login Data 0x1395f:$a4: \Orbitum\User Data\Default\Login Data 0x14757:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2953015221.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: prlsqnzspl.exe PID: 7320	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: prlsqnzspl.exe PID: 7320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: prlsqnzspl.exe PID: 7320	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: prlsqnzspl.exe PID: 7320	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8ba03:$a1: get_encryptedPassword 0x8bd1c:$a2: get_encryptedUsername 0x8b7b2:$a3: get_timePasswordChanged 0x8b8d3:$a4: get_passwordField 0x8ba19:$a5: set_encryptedPassword 0x8d31c:$a7: get_logins 0x8cfcd:$a8: GetOutlookPasswords 0x8cdbf:$a9: StartKeylogger 0x8d26c:$a10: KeyLoggerEventArgs 0x8ce1c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7336	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7336	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7336	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35d07:$a1: get_encryptedPassword 0x36020:$a2: get_encryptedUsername 0x35ab6:$a3: get_timePasswordChanged 0x35bd7:$a4: get_passwordField 0x35d1d:$a5: set_encryptedPassword 0x37620:$a7: get_logins 0x372d1:$a8: GetOutlookPasswords 0x370c3:$a9: StartKeylogger 0x37570:$a10: KeyLoggerEventArgs 0x37120:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.prlsqnzspl.exe.e80000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.prlsqnzspl.exe.e80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.prlsqnzspl.exe.e80000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
1.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13651:$a3: \Google\Chrome\User Data\Default\Login Data 0x1395f:$a4: \Orbitum\User Data\Default\Login Data 0x14757:$a5: \Kometa\User Data\Default\Login Data
0.2.prlsqnzspl.exe.e80000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.prlsqnzspl.exe.e80000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13651:$a3: \Google\Chrome\User Data\Default\Login Data 0x1395f:$a4: \Orbitum\User Data\Default\Login Data 0x14757:$a5: \Kometa\User Data\Default\Login Data
0.2.prlsqnzspl.exe.e80000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.prlsqnzspl.exe.e80000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.prlsqnzspl.exe.e80000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.prlsqnzspl.exe.e80000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.prlsqnzspl.exe.e80000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12353:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11851:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b5f:$a4: \Orbitum\User Data\Default\Login Data 0x12957:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:20:27.619737+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.2953015221.00000000032A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7936461705:AAHcZGbxyAiYCbyX-HScrXbdJ1wtayV7uik", "Telegram Chatid": "7459285950"}

Multi AV Scanner detection for submitted file

Source: prlsqnzspl.exe	Virustotal: Detection: 55%			Perma Link
Source: prlsqnzspl.exe	ReversingLabs: Detection: 75%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: prlsqnzspl.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: prlsqnzspl.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: prlsqnzspl.exe, 00000000.00000003.1717568185.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, prlsqnzspl.exe, 00000000.00000003.1718745292.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: prlsqnzspl.exe, 00000000.00000003.1717568185.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, prlsqnzspl.exe, 00000000.00000003.1718745292.00000000038B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008A445A
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AC6D1 FindFirstFileW,FindClose,	0_2_008AC6D1
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008AC75C
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008AEF95
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008AF0F2
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008AF3F3
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008A37EF
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008A3B12
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008ABCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01565782h	1_2_01565358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 015651B9h	1_2_01564F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01565782h	1_2_015656AF

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008B22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008B22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000001.00000002.2953015221.000000000330E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000001.00000002.2953015221.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: prlsqnzspl.exe, 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000001.00000002.2953015221.000000000333D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000001.00000002.2953015221.000000000333D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000001.00000002.2953015221.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: prlsqnzspl.exe, 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: prlsqnzspl.exe, 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008B4164

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008B4164

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008B3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008B3F66

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008A001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_008A001C

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008CCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008CCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: prlsqnzspl.exe PID: 7320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00843B3A
Source: prlsqnzspl.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: prlsqnzspl.exe, 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f081dc2f-d
Source: prlsqnzspl.exe, 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9c0e9494-a
Source: prlsqnzspl.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c424a938-7
Source: prlsqnzspl.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_73166910-3

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008AA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_008AA1EF

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00898310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00898310

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008A51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008A51BD

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086D975	0_2_0086D975
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0084FCE0	0_2_0084FCE0
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008621C5	0_2_008621C5
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008762D2	0_2_008762D2
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008C03DA	0_2_008C03DA
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0087242E	0_2_0087242E
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008625FA	0_2_008625FA
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0084E6A0	0_2_0084E6A0
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008566E1	0_2_008566E1
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0089E616	0_2_0089E616
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0087878F	0_2_0087878F
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A8889	0_2_008A8889
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00858808	0_2_00858808
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00876844	0_2_00876844
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008C0857	0_2_008C0857
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086CB21	0_2_0086CB21
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00876DB6	0_2_00876DB6
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00856F9E	0_2_00856F9E
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00853030	0_2_00853030
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00863187	0_2_00863187
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086F1D9	0_2_0086F1D9
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00841287	0_2_00841287
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00861484	0_2_00861484
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00855520	0_2_00855520
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00867696	0_2_00867696
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00855760	0_2_00855760
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00861978	0_2_00861978
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00879AB5	0_2_00879AB5
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00861D90	0_2_00861D90
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086BDA6	0_2_0086BDA6
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008C7DDB	0_2_008C7DDB
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00853FE0	0_2_00853FE0
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0084DF00	0_2_0084DF00
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0112F0A0	0_2_0112F0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0156C168	1_2_0156C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_015619B8	1_2_015619B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0156CAB0	1_2_0156CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01562DD1	1_2_01562DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01564F08	1_2_01564F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01567E68	1_2_01567E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0156B9DC	1_2_0156B9DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0156B9E0	1_2_0156B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0156CAAE	1_2_0156CAAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01567E66	1_2_01567E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01564EF8	1_2_01564EF8

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: String function: 00860AE3 appears 70 times
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: String function: 00868900 appears 42 times
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: String function: 00847DE1 appears 36 times

Source: prlsqnzspl.exe, 00000000.00000003.1717985412.0000000003B7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs prlsqnzspl.exe
Source: prlsqnzspl.exe, 00000000.00000003.1717849346.00000000039D3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs prlsqnzspl.exe
Source: prlsqnzspl.exe, 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs prlsqnzspl.exe

Source: prlsqnzspl.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: prlsqnzspl.exe PID: 7320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008AA06A GetLastError,FormatMessageW,

0_2_008AA06A

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008981CB AdjustTokenPrivileges,CloseHandle,		0_2_008981CB
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008987E1

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008AB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008AB3FB

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008BEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008BEE0D

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008AC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008AC397

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00844E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00844E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\prlsqnzspl.exe

File created: C:\Users\user\AppData\Local\Temp\aut82AD.tmp

Jump to behavior

Source: prlsqnzspl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2953015221.000000000339E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953015221.0000000003380000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953015221.0000000003390000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: prlsqnzspl.exe	Virustotal: Detection: 55%
Source: prlsqnzspl.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\prlsqnzspl.exe "C:\Users\user\Desktop\prlsqnzspl.exe"
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\prlsqnzspl.exe"
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\prlsqnzspl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: prlsqnzspl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: prlsqnzspl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: prlsqnzspl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: prlsqnzspl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: prlsqnzspl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: prlsqnzspl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: prlsqnzspl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: prlsqnzspl.exe, 00000000.00000003.1717568185.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, prlsqnzspl.exe, 00000000.00000003.1718745292.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: prlsqnzspl.exe, 00000000.00000003.1717568185.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, prlsqnzspl.exe, 00000000.00000003.1718745292.00000000038B0000.00000004.00001000.00020000.00000000.sdmp

Source: prlsqnzspl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: prlsqnzspl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: prlsqnzspl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: prlsqnzspl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: prlsqnzspl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00844B37 LoadLibraryA,GetProcAddress,

0_2_00844B37

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A848F push FFFFFF8Bh; iretd	0_2_008A8491
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086E70F push edi; ret	0_2_0086E711
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086E828 push esi; ret	0_2_0086E82A
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_00868945 push ecx; ret	0_2_00868958
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086EAEC push edi; ret	0_2_0086EAEE
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086EA03 push esi; ret	0_2_0086EA05

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008448D7
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008C5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008C5376

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00863187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00863187

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: C:\Users\user\Desktop\prlsqnzspl.exe C:\Users\user\Desktop\prlsqnzspl.exe		0_2_00874BC9
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: C:\Users\user\Desktop\prlsqnzspl.exe C:\Users\user\Desktop\prlsqnzspl.exe C:\Users\user\Desktop\prlsqnzspl.exe C:\Users\user\Desktop\prlsqnzspl.exe		0_2_00874B1B

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\prlsqnzspl.exe

API/Special instruction interceptor: Address: 112ECC4

Source: C:\Users\user\Desktop\prlsqnzspl.exe

API coverage: 4.5 %

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008A445A
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AC6D1 FindFirstFileW,FindClose,	0_2_008AC6D1
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008AC75C
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008AEF95
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008AF0F2
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008AF3F3
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008A37EF
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008A3B12
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008ABCBC

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008449A0

Source: RegSvcs.exe, 00000001.00000002.2952605874.0000000001648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: prlsqnzspl.exe, 00000000.00000003.1709182950.0000000000F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_0156C168 LdrInitializeThunk,LdrInitializeThunk,

1_2_0156C168

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008B3F09 BlockInput,

0_2_008B3F09

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00843B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00843B3A

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00875A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00875A7C

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00844B37 LoadLibraryA,GetProcAddress,

0_2_00844B37

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0112D8F0 mov eax, dword ptr fs:[00000030h]	0_2_0112D8F0
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0112EF30 mov eax, dword ptr fs:[00000030h]	0_2_0112EF30
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0112EF90 mov eax, dword ptr fs:[00000030h]	0_2_0112EF90

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008980A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_008980A9

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086A124 SetUnhandledExceptionFilter,		0_2_0086A124
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_0086A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0086A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10AD008

Jump to behavior

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008987B1 LogonUserW,

0_2_008987B1

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00843B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00843B3A

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_008448D7

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008A4C27 mouse_event,

0_2_008A4C27

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\prlsqnzspl.exe"

Jump to behavior

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00897CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00897CAF

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_0089874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0089874B

Source: prlsqnzspl.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: prlsqnzspl.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_0086862B cpuid

0_2_0086862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00874E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00874E87

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00881E06 GetUserNameW,

0_2_00881E06

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_00873F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00873F3A

Source: C:\Users\user\Desktop\prlsqnzspl.exe

Code function: 0_2_008449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008449A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: prlsqnzspl.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: prlsqnzspl.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: prlsqnzspl.exe	Binary or memory string: WIN_81
Source: prlsqnzspl.exe	Binary or memory string: WIN_XP
Source: prlsqnzspl.exe	Binary or memory string: WIN_XPe
Source: prlsqnzspl.exe	Binary or memory string: WIN_VISTA
Source: prlsqnzspl.exe	Binary or memory string: WIN_7
Source: prlsqnzspl.exe	Binary or memory string: WIN_8
Source: prlsqnzspl.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953015221.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: prlsqnzspl.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: prlsqnzspl.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.prlsqnzspl.exe.e80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: prlsqnzspl.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008B6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_008B6283
Source: C:\Users\user\Desktop\prlsqnzspl.exe	Code function: 0_2_008B6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008B6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
prlsqnzspl.exe	56%	Virustotal		Browse
prlsqnzspl.exe	75%	ReversingLabs	Win32.Trojan.AutoItinject
prlsqnzspl.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	prlsqnzspl.exe, 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000001.00000002.2953015221.000000000333D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2953015221.000000000333D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000001.00000002.2953015221.000000000330E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2953015221.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	prlsqnzspl.exe, 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	prlsqnzspl.exe, 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953015221.0000000003320000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588772
Start date and time:	2025-01-11 05:19:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	prlsqnzspl.exe renamed because original name is a hash value
Original Sample Name:	77748f838ead05509df44e987d7c3bc262483069717e53a9d18626ae245a7c0d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
158.101.44.242	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	104.21.15.100
	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	leUmNO9XPu.exe	Get hash	malicious	HawkEye, MailPassView	Browse	104.19.223.79
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
ORACLE-BMC-31898US	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\prlsqnzspl.exe
File Type:	data
Category:	dropped
Size (bytes):	73182
Entropy (8bit):	7.923551192621581
Encrypted:	false
SSDEEP:	1536:l4fzcjmJcDK2DiCz42cYk0Y/DPJTXypOmvsNWAL:l4gjmR2GC0XYbYrxTXwHvsNWAL
MD5:	4EE5C3A03FCEEDC0D1D065311B639F7D
SHA1:	D8369E984E75B98F7455B02017C36241344ECB98
SHA-256:	6F5815923961ED7B7ADA96B393780CB500CAF52D15528FCDD65AFC34D25E757C
SHA-512:	E07683FC2445A669C29CCE6234C655D95FA85847DD47B61B5A5D3F484E77EE734ABF1CB1CB1359CD2B1DAD4160B198849EB079A1E9C015A0502054DA3090F7B8
Malicious:	false
Reputation:	low
Preview:	EA06..n.....I..E.S(.=g>.X.Pf....6..i.J..4.M..J0..S.S.. ...@.q...+.......m...7.l.K.4X..y;..$...V.<..g.y..!<..,5.......g....9L..@....i...oM.c....\|.:.i.N.G.Q.sy.:.Z.t.#oT.U....Rn.tA..{...Z.Pf..9..WkeD.S(....%.z5BM5...Y$.m&.t.../...>...:r.z......e&t.../..E...I...kq.ub4.u...IL.....%6.S....j..P.W.nTZ4..!.P......te..ZuH.t.M@.>.....H.u...T...?j...N..+....)2..+.;oB..;G....g6.b......0.....mJ....j.` ...w..n...w$..N..w.:..a0.V...&.:!`.E..t.......~.:X..I...J.W&..D..\..+...rF.tW......X.G.UZuz.....i.J.F.bd.).:...?.[..k_.U..-./6.V8.Ze.. .S.....9B...Z'R.2..#..GwP.Q.t...R..)..Zm5.Y.UI...4.OV..2...M..M.-M.q.3i.F.....3I.z.R..'..Ne..?.ze..u.W/.jeJi4.GjV.$.S..,....X.Q.......:...r.;..H.....x..'..UB.6.K.I..&..^..je..y.S.....P...2.E..2..&.i.J...Q.8..,..t...".U.T/.I..i6.k(s...A...,.K.......H..i...T:5..S......iK.[..i.N.\|..&SH...E.S-....X.}&.....h........R.tZ5".W.F.....M.Oo. ..aT.Q.Sh.....[i.......X.3:..g...k].i4.Q..peF.M.V*TY.&_..M.7.%R..Hf.i.B.;.Q.uy...R...z5Be7...

C:\Users\user\AppData\Local\Temp\snaith

Download File

Process:	C:\Users\user\Desktop\prlsqnzspl.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.8595256619782035
Encrypted:	false
SSDEEP:	1536:9qBCh/fPA99WW9SdPoc9J8UJKEaL0RivbREtLkjxt385+iCO8hgSzR6qhvzcy1dh:8BCh/fYa3dPocdmL0RivbREVkjf385+z
MD5:	12B4BC9C033BB7C93C60F88A7DD88025
SHA1:	13DAE947FB568D14732E683368E4550A892EDDBE
SHA-256:	EF5377D094592ABD413A9921799847A82C440FE5B68E4E0598EBE9D465019D33
SHA-512:	AC3C4AADB6DEC13CEB9D6D902DE70370C6A98C1CA537E04CF0ABD3E4A0DE14C1931B250132C01EB946E3DBD716015F5ABDA4DE652D89809F5A98151D1E66D1D9
Malicious:	false
Reputation:	low
Preview:	...456REBLGS..NX.A4MRFP6uUNTT2A4466REFLGSS0NXRA4MRFP65UNTT2A.466\Z.BG.Z.o.S..l..9E.%<;3@ Y.UW<+)8g16.<-<a]#r..e.8!01.L9>.6REFLGS.uNX.@7M....5UNTT2A4.64SNG.GS71NXZA4MRFP..TNTt2A4.76RE.LGsS0NZRA0MRFP65UHTT2A4466.DFLESS0NXRC4-.FP&5U^TT2A$46&REFLGSC0NXRA4MRFP6..OT.2A44.7R.CLGSS0NXRA4MRFP65UNT.3A8466REFLGSS0NXRA4MRFP65UNTT2A4466REFLGSS0NXRA4MRFP65UnTT:A4466REFLGS[.NX.A4MRFP65UNTzF$L@66R.$MGSs0NX6@4MPFP65UNTT2A4466rEF,i! B-XRA.HRFP.4UNRT2AR566REFLGSS0NXR.4M.h"SY:-TT>A446.SEFNGSS\OXRA4MRFP65UNT.2Av466REFLGSS0NXRA4m.GP65UN.T2A6436..FL..S0MXRAnMR@..5U.TT2A4466REFLGSS0NXRA4MRFP65UNTT2A4466REFLGS.M.W...$!.65UNTT3C700>ZEFLGSS0N&RA4.RFPv5UNcT2A.466?EFLcSS00XRAJMRF465U<TT2 446qREF#GSS^NXR?4MRXR.UN^~.A6..6ROFf. r0NR.@4MV5r65_.VT2EG.66X.ELGW .NXX.0MRB#.5UD.Q2A0.l6Q.PJGSH_vXRK4N.SV65NdrT0i.46<Ro`LD.F6NXIk.MP.Y65Qd.'/A42.tREL8NSS2.RRA0gLDxu5UD~vLR442.Rod2SSS4eXxcJXRFT.5.lB2A0.6.p;QLGWx0d^x#4?.JPF6:/TT4i.46<z.FLASy.N&\A4IP).65_h~n2id460Rm.LGUS..X,r4MVjWH.UNP.$?.462.C>LGU .NXXd.~RFT..UN^T..4.o6RCFd.SS6

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.902732139601521
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	prlsqnzspl.exe
File size:	996'352 bytes
MD5:	2a7a83cba1dd7049fdda5733e0dc2a15
SHA1:	9ed30c2b01a43c2019ef323cc260c906c8bd937c
SHA256:	77748f838ead05509df44e987d7c3bc262483069717e53a9d18626ae245a7c0d
SHA512:	685f4be9262b59c24f2a0ec16724f74dae8b6889200b7a6a4f495bb2736040638bce86936e3becc4eac8324567d382759b9d125b624a9a04e17cd8f1a0282db9
SSDEEP:	24576:Xu6J33O0c+JY5UZ+XC0kGso6FaEXs9QWY:xu0c++OCvkGs9FaECY
TLSH:	FF25AE2273DDC360CB669173BF69B7016EBF3C610630B95B2F980D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674DA010 [Mon Dec 2 11:54:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9FD12011CAh
jmp 00007F9FD11F3F94h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9FD11F411Ah
cmp edi, eax
jc 00007F9FD11F447Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F9FD11F4119h
rep movsb
jmp 00007F9FD11F442Ch
cmp ecx, 00000080h
jc 00007F9FD11F42E4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9FD11F4120h
bt dword ptr [004BE324h], 01h
jc 00007F9FD11F45F0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9FD11F42BDh
test edi, 00000003h
jne 00007F9FD11F42CEh
test esi, 00000003h
jne 00007F9FD11F42ADh
bt edi, 02h
jnc 00007F9FD11F411Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9FD11F4123h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9FD11F4175h
bt esi, 03h
jnc 00007F9FD11F41C8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x2aa3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x2aa3c	0x2ac00	02d83d387a45d49a1e430030e568e49a	False	0.8447722496345029	data	7.679563345202166	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x21d03	data			1.0003682337056585
RT_GROUP_ICON	0xf14bc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf1534	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf1548	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf155c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf1570	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf164c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:20:27.619737+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:20:25.501264095 CET	49730	80	192.168.2.4	158.101.44.242
Jan 11, 2025 05:20:25.506125927 CET	80	49730	158.101.44.242	192.168.2.4
Jan 11, 2025 05:20:25.506194115 CET	49730	80	192.168.2.4	158.101.44.242
Jan 11, 2025 05:20:25.506356955 CET	49730	80	192.168.2.4	158.101.44.242
Jan 11, 2025 05:20:25.511181116 CET	80	49730	158.101.44.242	192.168.2.4
Jan 11, 2025 05:20:26.942652941 CET	80	49730	158.101.44.242	192.168.2.4
Jan 11, 2025 05:20:26.947011948 CET	49730	80	192.168.2.4	158.101.44.242
Jan 11, 2025 05:20:26.951869011 CET	80	49730	158.101.44.242	192.168.2.4
Jan 11, 2025 05:20:27.571567059 CET	80	49730	158.101.44.242	192.168.2.4
Jan 11, 2025 05:20:27.581279993 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:27.581315041 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:27.581376076 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:27.591075897 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:27.591099977 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:27.619736910 CET	49730	80	192.168.2.4	158.101.44.242
Jan 11, 2025 05:20:28.055553913 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:28.055680037 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:28.062282085 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:28.062311888 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:28.062671900 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:28.104132891 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:28.118882895 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:28.159346104 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:28.229768991 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:28.229841948 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 05:20:28.229949951 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:20:28.256098986 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 05:21:32.570981979 CET	80	49730	158.101.44.242	192.168.2.4
Jan 11, 2025 05:21:32.571069956 CET	49730	80	192.168.2.4	158.101.44.242
Jan 11, 2025 05:22:07.573249102 CET	49730	80	192.168.2.4	158.101.44.242
Jan 11, 2025 05:22:07.578383923 CET	80	49730	158.101.44.242	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:20:25.488796949 CET	49325	53	192.168.2.4	1.1.1.1
Jan 11, 2025 05:20:25.496040106 CET	53	49325	1.1.1.1	192.168.2.4
Jan 11, 2025 05:20:27.573592901 CET	62852	53	192.168.2.4	1.1.1.1
Jan 11, 2025 05:20:27.580547094 CET	53	62852	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:20:25.488796949 CET	192.168.2.4	1.1.1.1	0xedcc	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.573592901 CET	192.168.2.4	1.1.1.1	0x24eb	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:20:25.496040106 CET	1.1.1.1	192.168.2.4	0xedcc	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:20:25.496040106 CET	1.1.1.1	192.168.2.4	0xedcc	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:25.496040106 CET	1.1.1.1	192.168.2.4	0xedcc	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:25.496040106 CET	1.1.1.1	192.168.2.4	0xedcc	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:25.496040106 CET	1.1.1.1	192.168.2.4	0xedcc	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:25.496040106 CET	1.1.1.1	192.168.2.4	0xedcc	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.580547094 CET	1.1.1.1	192.168.2.4	0x24eb	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.580547094 CET	1.1.1.1	192.168.2.4	0x24eb	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.580547094 CET	1.1.1.1	192.168.2.4	0x24eb	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.580547094 CET	1.1.1.1	192.168.2.4	0x24eb	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.580547094 CET	1.1.1.1	192.168.2.4	0x24eb	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.580547094 CET	1.1.1.1	192.168.2.4	0x24eb	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:20:27.580547094 CET	1.1.1.1	192.168.2.4	0x24eb	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	158.101.44.242	80	7336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:20:25.506356955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:20:26.942652941 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9a7d52b4389a64a4c0bec0474ed2da39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 05:20:26.947011948 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 05:20:27.571567059 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af27c8241810c343d941879c6caf3ccb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.48.1	443	7336	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:20:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:20:28 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:20:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884017 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GMByYR5cpbE5z9SQqLB9V%2F3pASabsp7TN%2BVKxsGUvebfZyML8TiSXZOmnigOvMFBR2Tti4ADQQNW%2BRVa%2FfDFVWP3PDnPEL%2FJehM0vCBKHwli8Yx%2BQ%2FVSWZZFYnqsUDOMzBE5FUXu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90021d4c1bff43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1547&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1770770&cwnd=226&unsent_bytes=0&cid=9782b722c233bbaa&ts=188&x=0"
2025-01-11 04:20:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	23:20:23
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\prlsqnzspl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\prlsqnzspl.exe"
Imagebase:	0x840000
File size:	996'352 bytes
MD5 hash:	2A7A83CBA1DD7049FDDA5733E0DC2A15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1720315051.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:20:24
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\prlsqnzspl.exe"
Imagebase:	0xe90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2951755794.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2953015221.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8%
Total number of Nodes:	2000
Total number of Limit Nodes:	191

Executed Functions

Function 00843B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00843B68
IsDebuggerPresent.KERNEL32 ref: 00843B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,009052F8,009052E0,?,?), ref: 00843BEB

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

Part of subcall function 0085092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00843C14,009052F8,?,?,?), ref: 0085096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00843C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008F7770,00000010), ref: 0087D281
SetCurrentDirectoryW.KERNEL32(?,009052F8,?,?,?), ref: 0087D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,008F4260,009052F8,?,?,?), ref: 0087D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0087D346

Part of subcall function 00843A46: GetSysColorBrush.USER32(0000000F), ref: 00843A50
Part of subcall function 00843A46: LoadCursorW.USER32(00000000,00007F00), ref: 00843A5F
Part of subcall function 00843A46: LoadIconW.USER32(00000063), ref: 00843A76
Part of subcall function 00843A46: LoadIconW.USER32(000000A4), ref: 00843A88
Part of subcall function 00843A46: LoadIconW.USER32(000000A2), ref: 00843A9A
Part of subcall function 00843A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00843AC0
Part of subcall function 00843A46: RegisterClassExW.USER32(?), ref: 00843B16

Part of subcall function 008439D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00843A03
Part of subcall function 008439D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00843A24
Part of subcall function 008439D5: ShowWindow.USER32(00000000,?,?), ref: 00843A38
Part of subcall function 008439D5: ShowWindow.USER32(00000000,?,?), ref: 00843A41

Part of subcall function 0084434A: _memset.LIBCMT ref: 00844370
Part of subcall function 0084434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00844415

Strings

This is a third-party compiled AutoIt script., xrefs: 0087D279
runas, xrefs: 0087D33A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: ee0824aa38ab80534c009069e8942448b858d525e12bac2a8aa908a2515f9bfc
Instruction ID: cf7a278de521a3629ea9bb43022f582cc0eff54416e508804123d911e0eba46b
Opcode Fuzzy Hash: ee0824aa38ab80534c009069e8942448b858d525e12bac2a8aa908a2515f9bfc
Instruction Fuzzy Hash: ED51BF3190824DAEEF11ABBCDC45EAE7B79FF45714F008065F521E22A2DB709646DF22

Function 008449A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 008449CD

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

GetCurrentProcess.KERNEL32(?,008CFAEC,00000000,00000000,?), ref: 00844A9A
IsWow64Process.KERNEL32(00000000), ref: 00844AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00844AE7
FreeLibrary.KERNEL32(00000000), ref: 00844AF2
GetSystemInfo.KERNEL32(00000000), ref: 00844B23
GetSystemInfo.KERNEL32(00000000), ref: 00844B2F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 1aa66f3c13beab755649fcb9a5669ebd1e1d755522e2abe90bd4978c3193962a
Instruction ID: 079570504eba0165412be3bcd890b1262acb560046b2e9af74a96f90f042987e
Opcode Fuzzy Hash: 1aa66f3c13beab755649fcb9a5669ebd1e1d755522e2abe90bd4978c3193962a
Instruction Fuzzy Hash: 4A91B3319897C8DAC731CB6885506AABFF5FF2A304B485D6ED0CBD3A42D630E508C75A

Function 00844E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00844D8E,?,?,00000000,00000000), ref: 00844E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00844D8E,?,?,00000000,00000000), ref: 00844EB0
LoadResource.KERNEL32(?,00000000,?,?,00844D8E,?,?,00000000,00000000,?,?,?,?,?,?,00844E2F), ref: 0087D937
SizeofResource.KERNEL32(?,00000000,?,?,00844D8E,?,?,00000000,00000000,?,?,?,?,?,?,00844E2F), ref: 0087D94C
LockResource.KERNEL32(00844D8E,?,?,00844D8E,?,?,00000000,00000000,?,?,?,?,?,?,00844E2F,00000000), ref: 0087D95F

Strings

SCRIPT, xrefs: 00844EA6

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 20ba5a4dc4234e3de0b16f8344aa7b1c914781268ed66e63061c23aef7787c68
Instruction ID: 92645e991e5a77d44c4a949cfac1e8da08936dbfd71095c853cf5eedf32ec3d6
Opcode Fuzzy Hash: 20ba5a4dc4234e3de0b16f8344aa7b1c914781268ed66e63061c23aef7787c68
Instruction Fuzzy Hash: 18112A75240705BFE7218B65EC48F67BBBEFBC5B61F20826CF616D6250DB71E8008A60

Function 0084FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 0bcf0a9868576424d85223729dcb1be9fb5abc5ed4234b77b9db27fcac117889
Instruction ID: ccafb2bc71568f05e538a8de9a410765f5f5b5cee1c79b5e7f99ebce88e2f939
Opcode Fuzzy Hash: 0bcf0a9868576424d85223729dcb1be9fb5abc5ed4234b77b9db27fcac117889
Instruction Fuzzy Hash: E69236716087458FD720DF28C480B2ABBE1FB85314F14896DE89ADB262D775EC49CF92

Function 008A445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0087E398), ref: 008A446A
FindFirstFileW.KERNELBASE(?,?), ref: 008A447B
FindClose.KERNEL32(00000000), ref: 008A448B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 90739323e6049bfbaba3665d634bf982eb6bb628d341b7bc775574fc8e2850ae
Instruction ID: cf4b48062bcb58f4743225d4e859390105db593f1de785e1b60968e42393bd67
Opcode Fuzzy Hash: 90739323e6049bfbaba3665d634bf982eb6bb628d341b7bc775574fc8e2850ae
Instruction Fuzzy Hash: 38E0D8324129046766106B38EC0D8E9776DFF4A335F100715F935D11D1E7F459009599

Function 008509D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00850A5B
timeGetTime.WINMM ref: 00850D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00850E53
Sleep.KERNEL32(0000000A), ref: 00850E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00850EFA
DestroyWindow.USER32 ref: 00850F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00850F20
Sleep.KERNEL32(0000000A,?,?), ref: 00884E83
TranslateMessage.USER32(?), ref: 00885C60
DispatchMessageW.USER32(?), ref: 00885C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00885C82

Strings

@GUI_CTRLHANDLE, xrefs: 00884FE4
@GUI_CTRLID, xrefs: 00884F3A
@COM_EVENTOBJ, xrefs: 008854F0
@GUI_WINHANDLE, xrefs: 00884F8F
@TRAY_ID, xrefs: 0088578F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 918c6f0ba178f30fe59a20411ca769294cf7f7e86d5adacba2f1848dd118cb96
Instruction ID: 92d67bb12ba26217952265de3c6ef7fa4ff1730f4067e9c19ccb227db0d0e21a
Opcode Fuzzy Hash: 918c6f0ba178f30fe59a20411ca769294cf7f7e86d5adacba2f1848dd118cb96
Instruction Fuzzy Hash: C1B2BE70608745DFD724EF28C885BAABBE5FF84304F14491DE999D72A1DB71E848CB82

Function 008A9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A8F5F: __time64.LIBCMT ref: 008A8F69

Part of subcall function 00844EE5: _fseek.LIBCMT ref: 00844EFD

__wsplitpath.LIBCMT ref: 008A9234

Part of subcall function 008640FB: __wsplitpath_helper.LIBCMT ref: 0086413B

_wcscpy.LIBCMT ref: 008A9247
_wcscat.LIBCMT ref: 008A925A
__wsplitpath.LIBCMT ref: 008A927F
_wcscat.LIBCMT ref: 008A9295
_wcscat.LIBCMT ref: 008A92A8

Part of subcall function 008A8FA5: _memmove.LIBCMT ref: 008A8FDE
Part of subcall function 008A8FA5: _memmove.LIBCMT ref: 008A8FED

_wcscmp.LIBCMT ref: 008A91EF

Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9824
Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008A9452
_wcsncpy.LIBCMT ref: 008A94C5
DeleteFileW.KERNEL32(?,?), ref: 008A94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008A9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008A9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008A9534

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 491a101ae89759730d180c91fe4d91d49d2417300dbfd10bc9400e665f662fb4
Instruction ID: e3fb1d46421ba3c0288d07cbfdcdebb684e2502fd2ff90052c231e47ecc8a064
Opcode Fuzzy Hash: 491a101ae89759730d180c91fe4d91d49d2417300dbfd10bc9400e665f662fb4
Instruction Fuzzy Hash: AFC10BB1D0421DAADF21DF99CC85ADEB7BDFF45310F0040AAF609E6151EB309A458F66

Function 0084301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00843074
RegisterClassExW.USER32(00000030), ref: 0084309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008430AF
InitCommonControlsEx.COMCTL32(?), ref: 008430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008430DC
LoadIconW.USER32(000000A9), ref: 008430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00843101

Strings

0, xrefs: 00843056
AutoIt v3 GUI, xrefs: 00843090
+, xrefs: 0084305D
TaskbarCreated, xrefs: 008430A4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0c2cc4dcba8b7802780c4fc317e12ec23efa40f2dd26540272fbe507b8b8b666
Instruction ID: 50acb39e7096fa68ca9c41e9848ddf6e73e85317ebee7bc727087b90de129cc6
Opcode Fuzzy Hash: 0c2cc4dcba8b7802780c4fc317e12ec23efa40f2dd26540272fbe507b8b8b666
Instruction Fuzzy Hash: F93129B1814358EFEB41CFA4E889ADABBF5FB09710F10812AFA50E62A1D7B54544CF90

Function 00843041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00843074
RegisterClassExW.USER32(00000030), ref: 0084309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008430AF
InitCommonControlsEx.COMCTL32(?), ref: 008430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008430DC
LoadIconW.USER32(000000A9), ref: 008430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00843101

Strings

0, xrefs: 00843056
AutoIt v3 GUI, xrefs: 00843090
+, xrefs: 0084305D
TaskbarCreated, xrefs: 008430A4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 53354d438c057cc14af11b545c2d3dc9d18a230cc5658828d3afdb965bd97269
Instruction ID: be11aa0b7ea8f13ae9594894204a22fbd3f8b16b24dabaea91839bbbf3f5b556
Opcode Fuzzy Hash: 53354d438c057cc14af11b545c2d3dc9d18a230cc5658828d3afdb965bd97269
Instruction Fuzzy Hash: 6E21C0B1915618AFEB00DFA4E889B9EBBF5FB08700F00812AFA11E62A1D7B14544DF95

Function 0084708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00844706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009052F8,?,008437AE,?), ref: 00844724

Part of subcall function 0086050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00847165), ref: 0086052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008471A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0087E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0087E909
RegCloseKey.ADVAPI32(?), ref: 0087E947
_wcscat.LIBCMT ref: 0087E9A0

Strings

\, xrefs: 0087E9C3
Include, xrefs: 0087E8BF, 0087E900
\Include\, xrefs: 00847165
Software\AutoIt v3\AutoIt, xrefs: 0084719E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: d02bc8cfddf6fd76e885bb73ef3d005ba4dd0147e6e39bed7312b39cab3c3b4b
Instruction ID: a0fd4384d1f671190a7fdddad466bb4a3ace13f074b52bff6cec54d9b7601629
Opcode Fuzzy Hash: d02bc8cfddf6fd76e885bb73ef3d005ba4dd0147e6e39bed7312b39cab3c3b4b
Instruction Fuzzy Hash: 24719D715183059EC304EF2DE8819ABBBF8FF99310B40492EF555C72A1EB71D948DB52

Function 00843A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00843A50
LoadCursorW.USER32(00000000,00007F00), ref: 00843A5F
LoadIconW.USER32(00000063), ref: 00843A76
LoadIconW.USER32(000000A4), ref: 00843A88
LoadIconW.USER32(000000A2), ref: 00843A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00843AC0
RegisterClassExW.USER32(?), ref: 00843B16

Part of subcall function 00843041: GetSysColorBrush.USER32(0000000F), ref: 00843074
Part of subcall function 00843041: RegisterClassExW.USER32(00000030), ref: 0084309E
Part of subcall function 00843041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008430AF
Part of subcall function 00843041: InitCommonControlsEx.COMCTL32(?), ref: 008430CC
Part of subcall function 00843041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008430DC
Part of subcall function 00843041: LoadIconW.USER32(000000A9), ref: 008430F2
Part of subcall function 00843041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00843101

Strings

0, xrefs: 00843AF4
AutoIt v3, xrefs: 00843B05
#, xrefs: 00843AFB

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c419c8fe293a0121d0631470bf57f474fce6b1ae879bf4c892448b5c4776a8ce
Instruction ID: 6a429901c59cf35e209f14503a1e782b3416481d80298f3d3ed4c0e6260052a1
Opcode Fuzzy Hash: c419c8fe293a0121d0631470bf57f474fce6b1ae879bf4c892448b5c4776a8ce
Instruction Fuzzy Hash: F4214870D24708EFEB10DFA8EC09B9E7FB1FB08711F01412AE614A62B2D3B55654AF94

Function 00843633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 008436D2
KillTimer.USER32(?,00000001), ref: 008436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0084371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0084372A
CreatePopupMenu.USER32 ref: 0084373E
PostQuitMessage.USER32(00000000), ref: 0084374D

Strings

TaskbarCreated, xrefs: 00843725

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 79190ae35cb3b4ba33b710b798c8c4485e815ba674ea1f07a26cdb1eeb2654ac
Instruction ID: ffd55db4c5c0e06c88a06269f5c42b194945758a7bfc6e039da404ce7331236c
Opcode Fuzzy Hash: 79190ae35cb3b4ba33b710b798c8c4485e815ba674ea1f07a26cdb1eeb2654ac
Instruction Fuzzy Hash: 4F4127B221460EBFDF245F68DC0DB7A36A5FF10300F154135FA12D62E6DB709E54AA62

Function 00843766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON

Download Yara Rule

Strings

/AutoIt3OutputDebug, xrefs: 00843892
CMDLINERAW, xrefs: 008437FB
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 008437AE
/ErrorStdOut, xrefs: 0084387D
CMDLINE, xrefs: 00843822
/AutoIt3ExecuteScript, xrefs: 008438BC
/AutoIt3ExecuteLine, xrefs: 008438A7

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: bab8f365e22ac58258a3730c471e97bb6375e526d3f226491eacba41e6e3efb8
Instruction ID: 07da9b3150e4c123d43b1b8fa81d27c10823ff4a1c04d4d2f127f42b9fe20519
Opcode Fuzzy Hash: bab8f365e22ac58258a3730c471e97bb6375e526d3f226491eacba41e6e3efb8
Instruction Fuzzy Hash: 14A13B7191062D9ADF14EBA8DC95EEEBB79FF14310F400429E416E7192EF749A08CB62

Function 0112E080 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0112E151
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0112E377

Memory Dump Source

Source File: 00000000.00000002.1720586775.000000000112B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112b000_prlsqnzspl.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 98994a7f824f1a9bb3c88d5546b9ad746df734e8af3a4958248ad7b26c9f7800
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 9BA12570E05219EFDB18CFA4C894BEEBBB5FF48305F208159E605BB280C7759A51CB95

Function 008439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00843A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00843A24
ShowWindow.USER32(00000000,?,?), ref: 00843A38
ShowWindow.USER32(00000000,?,?), ref: 00843A41

Strings

edit, xrefs: 00843A1E
AutoIt v3, xrefs: 008439FB, 00843A00, 00843A01

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: df04147a9c2cf0ee41da64eeb9316fff090db98d5988c30870b37d328f7254e7
Instruction ID: e16166f902b1898b422be47289ff57100f0794ce92bca885c39aafd9fe890ad2
Opcode Fuzzy Hash: df04147a9c2cf0ee41da64eeb9316fff090db98d5988c30870b37d328f7254e7
Instruction Fuzzy Hash: DAF03A70514294BFEA30672B6C0CF2B3E7EEBC6F50F02402EBA14A2171C2710850EEB0

Function 0112DE30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0112DD20: Sleep.KERNELBASE(000001F4), ref: 0112DD31

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0112DF6A

Strings

2A4466REFLGSS0NXRA4MRFP65UNTT, xrefs: 0112DFCD, 0112DFD0

Memory Dump Source

Source File: 00000000.00000002.1720586775.000000000112B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112b000_prlsqnzspl.jbxd

Similarity

API ID: CreateFileSleep
String ID: 2A4466REFLGSS0NXRA4MRFP65UNTT
API String ID: 2694422964-3485395224
Opcode ID: fe6ad664fa40bb61c8b87e8d4d91c5c5247eae46b4786d9bc01f03eec59f4f23
Instruction ID: d1b28a0870e3dc7f6398829be3237ff833b0faabaeae456ef293bd5cb56453e1
Opcode Fuzzy Hash: fe6ad664fa40bb61c8b87e8d4d91c5c5247eae46b4786d9bc01f03eec59f4f23
Instruction Fuzzy Hash: 5D61AF70D04298DAEF15D7F8C858BDEBBB8AF15304F004199E6487B2C1D7B91B49CBA6

Function 0084407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0087D3D7

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

_memset.LIBCMT ref: 008440FC
_wcscpy.LIBCMT ref: 00844150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00844160

Strings

Line: , xrefs: 0087D400

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c26eb76cc201f01ac5a8aa2b72661d5def7b7bf070853f13e98441d934b6cd3d
Instruction ID: 8d2cb23a77722e98aacd59cd799d0da6f574d03cbcef0276154d82660e1d9c9f
Opcode Fuzzy Hash: c26eb76cc201f01ac5a8aa2b72661d5def7b7bf070853f13e98441d934b6cd3d
Instruction Fuzzy Hash: D931AE71008708AFD721EB68DC46FEB77E8FF44314F20451AB699D20A1EB749658CB93

Function 0086541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0086547B
_memcpy_s.LIBCMT ref: 008654ED
__read_nolock.LIBCMT ref: 0086554B
__filbuf.LIBCMT ref: 0086556E
_memset.LIBCMT ref: 008655B2

Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: fc5e9589622005f3e27cb2e0344677f34adcaed12d685c6d462084afced34a8b
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 5A51D670A00B09DBCB248F69D88966E77A2FF40335F258769F836D62D0DB71DD908B45

Function 0084686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00844DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844E0F

_free.LIBCMT ref: 0087E263
_free.LIBCMT ref: 0087E2AA

Part of subcall function 00846A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00846BAD

Strings

Bad directive syntax error, xrefs: 0087E292
>>>AUTOIT SCRIPT<<<, xrefs: 0087E039

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 7e5971d18512dfccd297d73bbb255e089d934ab32ac32105c2e45fc6eae9a335
Instruction ID: d18190800ef837ba4bae1d26882f13ded5e7ca13113f60013cd56a3953a471da
Opcode Fuzzy Hash: 7e5971d18512dfccd297d73bbb255e089d934ab32ac32105c2e45fc6eae9a335
Instruction Fuzzy Hash: FD915B7191021DAFCF04EFA8C8819EDB7B8FF19314B14846AF819EB2A2DB709915CB51

Function 008435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008435A1,SwapMouseButtons,00000004,?), ref: 008435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008435A1,SwapMouseButtons,00000004,?,?,?,?,00842754), ref: 008435F5
RegCloseKey.KERNELBASE(00000000,?,?,008435A1,SwapMouseButtons,00000004,?,?,?,?,00842754), ref: 00843617

Strings

Control Panel\Mouse, xrefs: 008435D2

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8b9a53f8c271772c9c3490c56d3a2e61b3149951ccf8b53abaff37c40d9cbc44
Instruction ID: d13593dd9c52d3e4bd4f7127de4d6004eca4809fce1e42270cfba1c1a98c6b34
Opcode Fuzzy Hash: 8b9a53f8c271772c9c3490c56d3a2e61b3149951ccf8b53abaff37c40d9cbc44
Instruction Fuzzy Hash: 2911487151020DBFEB219FA4DC40DAEB7B9FF14740F128469F905E7210D2719E40A760

Function 0112CD20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0112D54D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0112D571
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0112D593

Memory Dump Source

Source File: 00000000.00000002.1720586775.000000000112B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112b000_prlsqnzspl.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: d48f4f2615c8d5dfdd2ae32083215ef10a0fa18c8a02bbc3ce365a4706817ac6
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: B3621C30A14258DBEB28CFA4D840BDEB772EF58304F1091A9D10DEB394E7799E91CB59

Function 008A955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00844EE5: _fseek.LIBCMT ref: 00844EFD

Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9824
Part of subcall function 008A9734: _wcscmp.LIBCMT ref: 008A9837

_free.LIBCMT ref: 008A96A2
_free.LIBCMT ref: 008A96A9
_free.LIBCMT ref: 008A9714

Part of subcall function 00862D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00869A24), ref: 00862D69
Part of subcall function 00862D55: GetLastError.KERNEL32(00000000,?,00869A24), ref: 00862D7B

_free.LIBCMT ref: 008A971C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction ID: 2ab2f689797c572244a4e4562a145ad226acf9b2207a67c0ed09499a1d80dba2
Opcode Fuzzy Hash: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction Fuzzy Hash: 95514CB1D14218ABDF259F68CC81A9EBBB9FF49300F1044AEF249E3241DB715A80CF59

Function 0086470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008647A0
__flush.LIBCMT ref: 008647C0
__write.LIBCMT ref: 008647F3
__flsbuf.LIBCMT ref: 00864821

Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 9fce285a45aa91ff87f4d732651d8ef4007060f19dc4ca2a65d77a6c6ca183cd
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 5541D475B0074EDBDB19DEA9C8809AE7BA6FF42364B26D53DE815C7640DB70DD408B40

Function 00847285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0087EA39
GetOpenFileNameW.COMDLG32(?), ref: 0087EA83

Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770

Part of subcall function 00860791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008607B0

Strings

X, xrefs: 0087EA51

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 93a3099a83351d5b3841daf882e5cb79d295dbdc4e724199ba64b62c5c0167ee
Instruction ID: 116155b6357de1143852dde759f36ec4b2986e941c585e58e12a18412e5f1337
Opcode Fuzzy Hash: 93a3099a83351d5b3841daf882e5cb79d295dbdc4e724199ba64b62c5c0167ee
Instruction Fuzzy Hash: C021A131A1025C9BCF419FD8D845BEEBBF8FF49714F008059E508E7241DBB459898FA2

Function 008A8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008A8DAC
__fread_nolock.LIBCMT ref: 008A8DC1

Strings

EA06, xrefs: 008A8DF3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 196cc4d80d81e111e1b94f38614f9c9dc71aca2397cd8d9200468d40bfcb3bf6
Instruction ID: 05adeb769645ca5d627f84da01c1d9754ba317eea00683e2a35750271d9d7857
Opcode Fuzzy Hash: 196cc4d80d81e111e1b94f38614f9c9dc71aca2397cd8d9200468d40bfcb3bf6
Instruction Fuzzy Hash: 4401DD71D04218BEDB18DBA8CC5AEFE7BF8EB15311F00459FF552D6181E975E6048B60

Function 008A98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 008A98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008A990F

Strings

aut, xrefs: 008A9909

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 03ec59d4ad4291f9ea8a7456d4eddec21054e4d18ced728f710dc4a73371b63e
Instruction ID: db23eb14d689b19d5c10f46c16977df456b89cf684b8e9d2b75233540e320fff
Opcode Fuzzy Hash: 03ec59d4ad4291f9ea8a7456d4eddec21054e4d18ced728f710dc4a73371b63e
Instruction Fuzzy Hash: 86D05B7554030DABDB509BA0DC0DF9A773CF704700F0002B1BB54D1191D97055548B91

Function 008BCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a8cff0e410a79fd5ce9c3b72518a71df4f0818bb48ed77871aecb8db348599
Instruction ID: a3fb8f4e453a0514d5d944bb3de5d9655b6b16be603480a274cdc7a421cb0883
Opcode Fuzzy Hash: a3a8cff0e410a79fd5ce9c3b72518a71df4f0818bb48ed77871aecb8db348599
Instruction Fuzzy Hash: 05F103756083059FCB14DF28C480A6ABBE5FB89314F14896EF899DB352DB70E945CF82

Function 0084F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00860162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00860193
Part of subcall function 00860162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0086019B
Part of subcall function 00860162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008601A6
Part of subcall function 00860162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008601B1
Part of subcall function 00860162: MapVirtualKeyW.USER32(00000011,00000000), ref: 008601B9
Part of subcall function 00860162: MapVirtualKeyW.USER32(00000012,00000000), ref: 008601C1

Part of subcall function 008560F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0084F930), ref: 00856154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0084F9CD
OleInitialize.OLE32(00000000), ref: 0084FA4A
CloseHandle.KERNEL32(00000000), ref: 008845C8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ce2c0b4545df8c927187212d6763569e360be7df5fb837ece02b5d23ba5868e4
Instruction ID: a2c357a923c6462cda1491e1c39c78780be3fa14978c381956fe41745165607d
Opcode Fuzzy Hash: ce2c0b4545df8c927187212d6763569e360be7df5fb837ece02b5d23ba5868e4
Instruction Fuzzy Hash: C781C3B0929B44CFC794DF39AC4869B7BEAFB58306752812AD109C7372E7704884EF11

Function 0084434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00844370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00844415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00844432

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 364493461ef2386bb20a5f5fdedc44fea4e78ffc98b27cc31b8417430c3ce16a
Instruction ID: bf490316bc73e35858d2342500cd2c9c8deed37086e216a873be2779f70565b1
Opcode Fuzzy Hash: 364493461ef2386bb20a5f5fdedc44fea4e78ffc98b27cc31b8417430c3ce16a
Instruction Fuzzy Hash: 593173715057058FD721DF28D884B9BBBF8FF58708F00092EE69AD3251E771A944CB96

Function 0086571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00865733

Part of subcall function 0086A16B: __NMSG_WRITE.LIBCMT ref: 0086A192
Part of subcall function 0086A16B: __NMSG_WRITE.LIBCMT ref: 0086A19C

__NMSG_WRITE.LIBCMT ref: 0086573A

Part of subcall function 0086A1C8: GetModuleFileNameW.KERNEL32(00000000,009033BA,00000104,?,00000001,00000000), ref: 0086A25A
Part of subcall function 0086A1C8: ___crtMessageBoxW.LIBCMT ref: 0086A308

Part of subcall function 0086309F: ___crtCorExitProcess.LIBCMT ref: 008630A5
Part of subcall function 0086309F: ExitProcess.KERNEL32 ref: 008630AE

Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28

RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000000,?,?,?,00860DD3,?), ref: 0086575F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: fd87d49813f0b908169f64f58c6c9167ade2b9adf374d6b7e57cea7c408da5a9
Instruction ID: e25956628c781caa4718d71069430158315b0632e75ee6e6512ed744a41fd6da
Opcode Fuzzy Hash: fd87d49813f0b908169f64f58c6c9167ade2b9adf374d6b7e57cea7c408da5a9
Instruction Fuzzy Hash: 3E01B135244B05EEE615373DEC92A2E739CFB82765F530536F519EA2C2DE709C005762

Function 008A98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008A9548,?,?,?,?,?,00000004), ref: 008A98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008A9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008A98D1
CloseHandle.KERNEL32(00000000,?,008A9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008A98D8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 637b35b1410be9fec774b108022cb1567e6ce3d38f3f8cb24135938f53f20e61
Instruction ID: 4702eccdf5ab5079b56acec78f896d7b8726f449b9862dc86cbfd5e65927b812
Opcode Fuzzy Hash: 637b35b1410be9fec774b108022cb1567e6ce3d38f3f8cb24135938f53f20e61
Instruction Fuzzy Hash: 46E08632141214B7F7221B64EC09FCA7B2AFB06760F144121FB54A90E187B115119798

Function 008A8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008A8D1B

Part of subcall function 00862D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00869A24), ref: 00862D69
Part of subcall function 00862D55: GetLastError.KERNEL32(00000000,?,00869A24), ref: 00862D7B

_free.LIBCMT ref: 008A8D2C
_free.LIBCMT ref: 008A8D3E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction ID: 7dfd01275027eb06aad65aa4346ebabe0a943f57bec6b747d5b69bd5531e8cd0
Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction Fuzzy Hash: 91E0C2A1602A0082EB21A57CA840A8313DCFF48352704084DB40DE7182CE64F8428034

Function 0084A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0087FC01

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f8a60ee4d4788162467323d17c485452caf5ebf7d4708c592cb09e58637add8a
Instruction ID: e65a074964c33e106fbaaa207e9b86c4ce366255fabe74ee630f5022616cb32b
Opcode Fuzzy Hash: f8a60ee4d4788162467323d17c485452caf5ebf7d4708c592cb09e58637add8a
Instruction Fuzzy Hash: 9B224670548209DFDB28DF18C490A2ABBE1FF84314F15896DE89ADB262D735EC45CB82

Function 00844C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00844CBA

Strings

EA06, xrefs: 0087D8CC

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 8470e64d826be14fa0e8615fbef57011711cab74c1ff6a2351681119a16d7e2b
Instruction ID: 9a2d7a6e4a000803421ab5e5858b4a521d0cccf8731275a4fc8fc5b99537ea21
Opcode Fuzzy Hash: 8470e64d826be14fa0e8615fbef57011711cab74c1ff6a2351681119a16d7e2b
Instruction Fuzzy Hash: 8B416B21E0425C6BDF219B6888917BE7FB2FF45304F286475FC86DB286D6349D4483A3

Function 00847A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00847AAB
_memmove.LIBCMT ref: 00847B16

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction ID: 0caa243640cfb5b454e8f568b732e80434d93c04a1cb4a9169b9391906c4c8e6
Opcode Fuzzy Hash: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction Fuzzy Hash: 4031C5B160461AAFC704DF68C8D1E6DF3A9FF483247158629E519CB391EB30ED20CB90

Function 008447D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00844834

Part of subcall function 0086336C: __lock.LIBCMT ref: 00863372
Part of subcall function 0086336C: DecodePointer.KERNEL32(00000001,?,00844849,00897C74), ref: 0086337E
Part of subcall function 0086336C: EncodePointer.KERNEL32(?,?,00844849,00897C74), ref: 00863389

Part of subcall function 008448FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00844915
Part of subcall function 008448FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0084492A

Part of subcall function 00843B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00843B68
Part of subcall function 00843B3A: IsDebuggerPresent.KERNEL32 ref: 00843B7A
Part of subcall function 00843B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009052F8,009052E0,?,?), ref: 00843BEB
Part of subcall function 00843B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00843C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00844874

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: b88a2abc1456f19a6cec4fe62678e063f1d19fd1329728bb48c988758aacee5c
Instruction ID: cb1adeb94debf2af9e159cbb5b1f80aead39a0ba0a2fb39cef4b7279690e0c0a
Opcode Fuzzy Hash: b88a2abc1456f19a6cec4fe62678e063f1d19fd1329728bb48c988758aacee5c
Instruction Fuzzy Hash: 0C116A719183499FD700EF2CE84590ABBE8FF85750F11452AF090C32B1DB709A44CB92

Function 00860DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0086571C: __FF_MSGBANNER.LIBCMT ref: 00865733
Part of subcall function 0086571C: __NMSG_WRITE.LIBCMT ref: 0086573A
Part of subcall function 0086571C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000000,?,?,?,00860DD3,?), ref: 0086575F

std::exception::exception.LIBCMT ref: 00860DEC
__CxxThrowException@8.LIBCMT ref: 00860E01

Part of subcall function 0086859B: RaiseException.KERNEL32(?,?,?,008F9E78,00000000,?,?,?,?,00860E06,?,008F9E78,?,00000001), ref: 008685F0

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 5bbbdc66003ae8ecb396a6113e8f31f40525f8dd60af04adf5bf5bf90bcd4d7e
Instruction ID: 4c0076de8b2a732a44e3aa22d115ee4491dde670ca216d4f47c0bb8ce6981355
Opcode Fuzzy Hash: 5bbbdc66003ae8ecb396a6113e8f31f40525f8dd60af04adf5bf5bf90bcd4d7e
Instruction Fuzzy Hash: FAF0A43550021DA6CB10BAE8EC06ADF7BADFF11351F110666F918E6281DFB19A448ADA

Function 008655FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0086562C
__lock_file.LIBCMT ref: 0086564D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e4f7b20559cb658eb8c531b97832fc0a0434ce9f3583ac184e6c91f3a0f15e86
Instruction ID: 14c26f72d3e08ff4e570d5879a8a0f2c259f536d5ca41ffce831283deb5d3cf0
Opcode Fuzzy Hash: e4f7b20559cb658eb8c531b97832fc0a0434ce9f3583ac184e6c91f3a0f15e86
Instruction Fuzzy Hash: D901AC71800A08EBCF11AF6DDC0249E7B61FF61361F568255F418DB151DB718551DF53

Function 008653A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28

__lock_file.LIBCMT ref: 008653EB

Part of subcall function 00866C11: __lock.LIBCMT ref: 00866C34

__fclose_nolock.LIBCMT ref: 008653F6

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4aa586414f18bd1c14eac8ca5f5e3accad81a78e0c904a4018e398f05063a803
Instruction ID: 268d763ba8189e4de914a211bd55c4be475c8e3ca8134204bd042c71bba7c4ff
Opcode Fuzzy Hash: 4aa586414f18bd1c14eac8ca5f5e3accad81a78e0c904a4018e398f05063a803
Instruction Fuzzy Hash: DBF09671800A04DADB106F7D99027AD7AA0FF42774F238309A428EB3C1CFBC49419B53

Function 0112CD1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0112D54D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0112D571
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0112D593

Memory Dump Source

Source File: 00000000.00000002.1720586775.000000000112B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112b000_prlsqnzspl.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 25d0a200b9ba7b91754bb56607348a4a4e2ab7455fad28579bc4547979f39736
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: E512CE24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4E91CF5A

Function 00860C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00860CB7

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d15cde7a64f4e2241bbdfa984dbfde16299e49d15483f666ad18fee52d20ac20
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7231C274A001099FC718DF58D484A6AF7A6FB59300B6686A5E80ACB351D731EED1DF88

Function 0087FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0087FCB7

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 44ea833a619dbe57c6deabdce143a563344447226514658396808c83f377f0f2
Instruction ID: 18eff8eb4ea11a016a413b20daf6c89a14a2f5209c4f0586832a307d02e8f088
Opcode Fuzzy Hash: 44ea833a619dbe57c6deabdce143a563344447226514658396808c83f377f0f2
Instruction Fuzzy Hash: AE41E5746043559FDB24DF18C484B1ABBE1FF45318F0988ACE9998B762C736E849CF52

Function 00847B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00847BB3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3495ef5d3dbfa6d7b215b80445b3c4143e04deb6de18bebd1b2c0d532ec4e2b4
Instruction ID: 9a0ff5fadeb594d59bbfb64eb610b915bc67b849b80a826e3d2dff2200547957
Opcode Fuzzy Hash: 3495ef5d3dbfa6d7b215b80445b3c4143e04deb6de18bebd1b2c0d532ec4e2b4
Instruction Fuzzy Hash: B3210872614A0DEBDB148F25E841B7A7BB4FB58354F21C56DE489C5194EB30C1D0D745

Function 00844DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00844BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00844BEF

Part of subcall function 0086525B: __wfsopen.LIBCMT ref: 00865266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844E0F

Part of subcall function 00844B6A: FreeLibrary.KERNEL32(00000000), ref: 00844BA4

Part of subcall function 00844C70: _memmove.LIBCMT ref: 00844CBA

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 85707e9cd690d6049f92edce60849ec3d3d897bc8a9de7c8616de3db0fcd0a77
Instruction ID: eb5d529f24b3b84e8ebfaac8ae998bca8736b665aa3d1d51013457f261e9504c
Opcode Fuzzy Hash: 85707e9cd690d6049f92edce60849ec3d3d897bc8a9de7c8616de3db0fcd0a77
Instruction Fuzzy Hash: 0711A33160030DABDF15AFB8C816FAD77A9FF44720F108829F541E7182EA759A159B52

Function 0087FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0087FD91

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e15bd010472382aea76bc6f70ab5f9e8c92375782c0c7c69e1c594c321449e39
Instruction ID: c5c1a80b33f20d0d57ba577b80da9fe6071378df371821e0ecb9df9df8db2d31
Opcode Fuzzy Hash: e15bd010472382aea76bc6f70ab5f9e8c92375782c0c7c69e1c594c321449e39
Instruction Fuzzy Hash: CD21F374A08305DFDB14DF64C444A1ABBE1FF84314F058968F9899B762D731E809CB92

Function 0086072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008607B0

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c8787378cc9b0549549dc8e2e1f9abc997af8c45933c2d94c1386071a72fd762
Instruction ID: d73788066a162cfb9538c7dfb1a5f515066551741da33d9af3edf35ac9c61b39
Opcode Fuzzy Hash: c8787378cc9b0549549dc8e2e1f9abc997af8c45933c2d94c1386071a72fd762
Instruction Fuzzy Hash: 4B0162764413549FD7138F78A8019F57BF9FF86620B0605FAE844CB961D6305D158BE1

Function 00864863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 008648A6

Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9cbc0b66394bfe5e78ed1a57df11b1f53a533c7255d5deb4ef34f6dc2b92676d
Instruction ID: 354de08a4ec13c0233bd2d1bc0d6057cab072fb96376e343bb359c613252baaf
Opcode Fuzzy Hash: 9cbc0b66394bfe5e78ed1a57df11b1f53a533c7255d5deb4ef34f6dc2b92676d
Instruction Fuzzy Hash: A9F0AF71900649EBDF11AFBC8C067AE36A1FF00325F179524F428DB191DBB88951DF52

Function 00844E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844E7E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6da3c3cf1729c14103cde8af6b5a9ce82bcf9027d802b002003a8cae5af97adb
Instruction ID: c111075034bbb36c4c05f2f70c8beff13139d1f0b10468da98c2a9f829274640
Opcode Fuzzy Hash: 6da3c3cf1729c14103cde8af6b5a9ce82bcf9027d802b002003a8cae5af97adb
Instruction Fuzzy Hash: 67F01571501719CFDB349F68E894912BBE1FF143393249A3EE2D6C2620C732A840DB40

Function 00860791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008607B0

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 218fd4e0faecc2a8b2cb8ce757f8cb041d5c7bfee9db287eabd550d98d70a110
Instruction ID: 3e2d5605f7b2cd0be7cccf812d40a554756242c8366c68f160058bb9468a4e2c
Opcode Fuzzy Hash: 218fd4e0faecc2a8b2cb8ce757f8cb041d5c7bfee9db287eabd550d98d70a110
Instruction Fuzzy Hash: 1DE0CD369041285BC721D65C9C05FEA77EDEF887A0F0441B5FD0CD7209DA709C8086D1

Function 008A8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008A8EC1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: bb3a21a0482e5ca5f3f1c58ebbdc9494ec9b0ea5a4d81a0da972bb2f84d4a120
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 71E092B0504B009FD7388A24D805BA373E1FB06304F00081DF2AAC3241EB6278418B59

Function 0086525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00865266

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 26d35b798997bd9cc99275f1a03e4c5531cbbce0bd8cbbf11a193ca2a5c12403
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: AEB0927644020C77CE012A86EC02A493B1AAB41B64F408020FB0C18262A673A6649A8A

Function 0112DD20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0112DD31

Memory Dump Source

Source File: 00000000.00000002.1720586775.000000000112B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_112b000_prlsqnzspl.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 61a295fb668deb0c7f49508db333e5b59de2ebc836ce44d443d5c1d94f946a83
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 7CE0BF7494010D9FDB00EFA8D54969E7BB4EF04301F100561FD0192281D73099608A62

Non-executed Functions

Function 008CCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008CCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008CCB95
GetWindowLongW.USER32(?,000000F0), ref: 008CCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008CCC00
SendMessageW.USER32 ref: 008CCC29
_wcsncpy.LIBCMT ref: 008CCC95
GetKeyState.USER32(00000011), ref: 008CCCB6
GetKeyState.USER32(00000009), ref: 008CCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008CCCD9
GetKeyState.USER32(00000010), ref: 008CCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008CCD0C
SendMessageW.USER32 ref: 008CCD33
SendMessageW.USER32(?,00001030,?,008CB348), ref: 008CCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008CCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008CCE60
SetCapture.USER32(?), ref: 008CCE69
ClientToScreen.USER32(?,?), ref: 008CCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008CCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008CCEF5
ReleaseCapture.USER32 ref: 008CCF00
GetCursorPos.USER32(?), ref: 008CCF3A
ScreenToClient.USER32(?,?), ref: 008CCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 008CCFA3
SendMessageW.USER32 ref: 008CCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 008CD00E
SendMessageW.USER32 ref: 008CD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008CD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008CD06D
GetCursorPos.USER32(?), ref: 008CD08D
ScreenToClient.USER32(?,?), ref: 008CD09A
GetParent.USER32(?), ref: 008CD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 008CD123
SendMessageW.USER32 ref: 008CD154
ClientToScreen.USER32(?,?), ref: 008CD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008CD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 008CD20C
SendMessageW.USER32 ref: 008CD22F
ClientToScreen.USER32(?,?), ref: 008CD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008CD2B5

Part of subcall function 008425DB: GetWindowLongW.USER32(?,000000EB), ref: 008425EC

GetWindowLongW.USER32(?,000000F0), ref: 008CD351

Strings

@GUI_DRAGID, xrefs: 008CCE9C
F, xrefs: 008CD235

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: be274c1a33b4958842ed1cd6210274c2cf850dff7af831819cb4663140461478
Instruction ID: a1bde3fd3313fc9984a8bda12eb4c29dc8a6c287476b4098c96f251321339f47
Opcode Fuzzy Hash: be274c1a33b4958842ed1cd6210274c2cf850dff7af831819cb4663140461478
Instruction Fuzzy Hash: 88426774208641AFDB249F68C849FAABBF5FF49320F14452DFA99C72A1D731D840DB52

Function 00856F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008571C3
_memset.LIBCMT ref: 00857539
_memmove.LIBCMT ref: 008576AC

Strings

\b(?<=\w), xrefs: 00893773
[:<:]], xrefs: 00857479
DEFINE, xrefs: 00892103
Q\E, xrefs: 00857FCB
\b(?=\w), xrefs: 00893769
[:>:]], xrefs: 00857492

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 2b0f46f4229420284ea161b7e5f416254ef647adb7ad48a620848f488753cff8
Instruction ID: 022afbcdb5159ae40d922725734860aa8fe9881a3a2b5a55d7e7549dd6344295
Opcode Fuzzy Hash: 2b0f46f4229420284ea161b7e5f416254ef647adb7ad48a620848f488753cff8
Instruction Fuzzy Hash: 2A93AF75A04219DFDF24DF98D881BADB7B1FF48314F29816AE945EB281E7709E81CB40

Function 008448D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 008448DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0087D665
IsIconic.USER32(?), ref: 0087D66E
ShowWindow.USER32(?,00000009), ref: 0087D67B
SetForegroundWindow.USER32(?), ref: 0087D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0087D69B
GetCurrentThreadId.KERNEL32 ref: 0087D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0087D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0087D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0087D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0087D6CF
SetForegroundWindow.USER32(?), ref: 0087D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D6E7
keybd_event.USER32(00000012,00000000), ref: 0087D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D6FC
keybd_event.USER32(00000012,00000000), ref: 0087D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D70A
keybd_event.USER32(00000012,00000000), ref: 0087D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0087D719
keybd_event.USER32(00000012,00000000), ref: 0087D71E
SetForegroundWindow.USER32(?), ref: 0087D721
AttachThreadInput.USER32(?,?,00000000), ref: 0087D748

Strings

Shell_TrayWnd, xrefs: 0087D660

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1b2ac5ae4b7d9b5b9d126248f5997ba50ed29492233d3877b240dd95e904712a
Instruction ID: fdfad92489920555db978db7de6151013c64352e838dfbb2a8e2af12f8b386e1
Opcode Fuzzy Hash: 1b2ac5ae4b7d9b5b9d126248f5997ba50ed29492233d3877b240dd95e904712a
Instruction Fuzzy Hash: 1F315571A40318BBFB215B619C49F7F7E7DFF44B50F108025FB09EA1D1D6B09911AAA1

Function 00898310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 008987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0089882B
Part of subcall function 008987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00898858
Part of subcall function 008987E1: GetLastError.KERNEL32 ref: 00898865

_memset.LIBCMT ref: 00898353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008983A5
CloseHandle.KERNEL32(?), ref: 008983B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008983CD
GetProcessWindowStation.USER32 ref: 008983E6
SetProcessWindowStation.USER32(00000000), ref: 008983F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0089840A

Part of subcall function 008981CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00898309), ref: 008981E0
Part of subcall function 008981CB: CloseHandle.KERNEL32(?,?,00898309), ref: 008981F2

Strings

winsta0, xrefs: 008983C8
, xrefs: 00898362
default, xrefs: 00898405

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: b6a59b8009650d79b7534bab4115dcf7a41b2394f117c01c93943ea8f42f0d28
Instruction ID: 368bed53f275e1f950d3097c867a0135313d6e20d859a92a19f8dbce5e6c0ce4
Opcode Fuzzy Hash: b6a59b8009650d79b7534bab4115dcf7a41b2394f117c01c93943ea8f42f0d28
Instruction Fuzzy Hash: E781277190024AEFEF11AFA4DC45EEEBBB9FF05304F184169F914E6261DB318A19DB21

Function 008AC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008AC78D
FindClose.KERNEL32(00000000), ref: 008AC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008AC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008AC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 008AC844
__swprintf.LIBCMT ref: 008AC890
__swprintf.LIBCMT ref: 008AC8D3

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

__swprintf.LIBCMT ref: 008AC927

Part of subcall function 00863698: __woutput_l.LIBCMT ref: 008636F1

__swprintf.LIBCMT ref: 008AC975

Part of subcall function 00863698: __flsbuf.LIBCMT ref: 00863713
Part of subcall function 00863698: __flsbuf.LIBCMT ref: 0086372B

__swprintf.LIBCMT ref: 008AC9C4
__swprintf.LIBCMT ref: 008ACA13
__swprintf.LIBCMT ref: 008ACA62

Strings

%4d, xrefs: 008AC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 008AC88A
%02d, xrefs: 008AC91B, 008AC925, 008AC973, 008AC9C2, 008ACA11, 008ACA60

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 202c127e2887a35f327d55106375989692c8e15a9424a80c95a40eefe6266359
Instruction ID: 6ba3df5cdca47c601f0cf13f8c5fc9838756ea9d5a7fb0d13a1490feb8528a87
Opcode Fuzzy Hash: 202c127e2887a35f327d55106375989692c8e15a9424a80c95a40eefe6266359
Instruction Fuzzy Hash: AEA11EB1408209ABD750EFA8C885DAFB7ECFF95704F404929F595C6192EB34DA08CB63

Function 008AEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008AEFB6
_wcscmp.LIBCMT ref: 008AEFCB
_wcscmp.LIBCMT ref: 008AEFE2
GetFileAttributesW.KERNEL32(?), ref: 008AEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 008AF00E
FindNextFileW.KERNEL32(00000000,?), ref: 008AF026
FindClose.KERNEL32(00000000), ref: 008AF031
FindFirstFileW.KERNEL32(*.*,?), ref: 008AF04D
_wcscmp.LIBCMT ref: 008AF074
_wcscmp.LIBCMT ref: 008AF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 008AF09D
SetCurrentDirectoryW.KERNEL32(008F8920), ref: 008AF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 008AF0C5
FindClose.KERNEL32(00000000), ref: 008AF0D2
FindClose.KERNEL32(00000000), ref: 008AF0E4

Strings

*.*, xrefs: 008AF048

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 5579b8e4747d5001b6bd8b7cd040d8380a7d0eeac138c8f2aa995733ae19f7c9
Instruction ID: 7c611256b8e39afa92fd15eddb4af9e3234f126238d8ce900163006c6eaba008
Opcode Fuzzy Hash: 5579b8e4747d5001b6bd8b7cd040d8380a7d0eeac138c8f2aa995733ae19f7c9
Instruction Fuzzy Hash: 3C31D232600608ABEB149BB4EC48EEEB7ADFF4A360F104175EA10D3193DB74DA44CE61

Function 008C0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,008CF910,00000000,?,00000000,?,?), ref: 008C09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 008C0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 008C0A92
RegCloseKey.ADVAPI32(?), ref: 008C0DB2
RegCloseKey.ADVAPI32(00000000), ref: 008C0DBF

Strings

REG_BINARY, xrefs: 008C0D4D
REG_EXPAND_SZ, xrefs: 008C0A2F
REG_MULTI_SZ, xrefs: 008C0B7A
REG_DWORD, xrefs: 008C0C83
REG_SZ, xrefs: 008C0AD0
REG_QWORD, xrefs: 008C0D00

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 35e58bafea89a0cfb7aff0d0cdf423b7d4840c8bca759a31159a33e741506da3
Instruction ID: 40589f9ddc171e4e71af25b71a20d33e26f18311f37884b8cc46a4e2382bbe14
Opcode Fuzzy Hash: 35e58bafea89a0cfb7aff0d0cdf423b7d4840c8bca759a31159a33e741506da3
Instruction Fuzzy Hash: 820246756006159FCB24EF28C841E2AB7E5FF89714F04856DF99ADB262CB31EC45CB82

Function 008AF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008AF113
_wcscmp.LIBCMT ref: 008AF128
_wcscmp.LIBCMT ref: 008AF13F

Part of subcall function 008A4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008A43A0

FindNextFileW.KERNEL32(00000000,?), ref: 008AF16E
FindClose.KERNEL32(00000000), ref: 008AF179
FindFirstFileW.KERNEL32(*.*,?), ref: 008AF195
_wcscmp.LIBCMT ref: 008AF1BC
_wcscmp.LIBCMT ref: 008AF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 008AF1E5
SetCurrentDirectoryW.KERNEL32(008F8920), ref: 008AF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 008AF20D
FindClose.KERNEL32(00000000), ref: 008AF21A
FindClose.KERNEL32(00000000), ref: 008AF22C

Strings

*.*, xrefs: 008AF190

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c06980c0f1edc0b593ce25605b08ef3dc8af41c2d02e85727e97a6861e0763e2
Instruction ID: a16f0a753b28d981380b6c32bb34b22cb5ea36e89ecf9192a21ea3d7e90ccc98
Opcode Fuzzy Hash: c06980c0f1edc0b593ce25605b08ef3dc8af41c2d02e85727e97a6861e0763e2
Instruction Fuzzy Hash: 7D319136500219AAEB10AAB4EC49FEE77BDFF46360F100175EA10E35A2DB74DE45CA64

Function 008AA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008AA20F
__swprintf.LIBCMT ref: 008AA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 008AA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008AA293
_memset.LIBCMT ref: 008AA2B2
_wcsncpy.LIBCMT ref: 008AA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008AA323
CloseHandle.KERNEL32(00000000), ref: 008AA32E
RemoveDirectoryW.KERNEL32(?), ref: 008AA337
CloseHandle.KERNEL32(00000000), ref: 008AA341

Strings

:, xrefs: 008AA252
\??\%s, xrefs: 008AA22B
\, xrefs: 008AA247

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7ed8cd4bfbcfb6c1810182a0b2de6a86eaae7bc050261d782a3b33215f6c1880
Instruction ID: 0135c985014062ee0729d22e1ede9b482671c3c0c60b976d46844b734adeeefe
Opcode Fuzzy Hash: 7ed8cd4bfbcfb6c1810182a0b2de6a86eaae7bc050261d782a3b33215f6c1880
Instruction Fuzzy Hash: DA31B0B1900109ABEB219FA4DC49FEB37BDFF89741F1040B6F608D2661EB709644CB25

Function 00897CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00898202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0089821E
Part of subcall function 00898202: GetLastError.KERNEL32(?,00897CE2,?,?,?), ref: 00898228
Part of subcall function 00898202: GetProcessHeap.KERNEL32(00000008,?,?,00897CE2,?,?,?), ref: 00898237
Part of subcall function 00898202: HeapAlloc.KERNEL32(00000000,?,00897CE2,?,?,?), ref: 0089823E
Part of subcall function 00898202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00898255

Part of subcall function 0089829F: GetProcessHeap.KERNEL32(00000008,00897CF8,00000000,00000000,?,00897CF8,?), ref: 008982AB
Part of subcall function 0089829F: HeapAlloc.KERNEL32(00000000,?,00897CF8,?), ref: 008982B2
Part of subcall function 0089829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00897CF8,?), ref: 008982C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00897D13
_memset.LIBCMT ref: 00897D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00897D47
GetLengthSid.ADVAPI32(?), ref: 00897D58
GetAce.ADVAPI32(?,00000000,?), ref: 00897D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00897DB1
GetLengthSid.ADVAPI32(?), ref: 00897DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00897DDD
HeapAlloc.KERNEL32(00000000), ref: 00897DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00897E05
CopySid.ADVAPI32(00000000), ref: 00897E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00897E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00897E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00897E77

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0057255c887a8a400b7cdfae321d58643f0284b75a296a1361e8327becc03e08
Instruction ID: f93262a85cc59cdb0facfb8ea958f7d55f20fbbea15a7041e2478e0eeea1522b
Opcode Fuzzy Hash: 0057255c887a8a400b7cdfae321d58643f0284b75a296a1361e8327becc03e08
Instruction Fuzzy Hash: 87611B7191450AEFEF01AFA4DC45EEEBB7AFF04700F088169F915E6291DB359A05CB60

Function 008566E1 Relevance: 19.6, Strings: 15, Instructions: 889COMMON

Download Yara Rule

Strings

UTF), xrefs: 008910FA
CR), xrefs: 00891287
NO_START_OPT), xrefs: 0089114F
CRLF), xrefs: 008912C1
ANYCRLF), xrefs: 008912FB
ANY), xrefs: 008912DE
BSR_ANYCRLF), xrefs: 0089131E
UCP), xrefs: 0089110D
NO_AUTO_POSSESS), xrefs: 0089112E
UTF16), xrefs: 008910CF
LIMIT_RECURSION=, xrefs: 008911FC
LF), xrefs: 008912A4
BSR_UNICODE), xrefs: 00891338
fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0, xrefs: 00891349
LIMIT_MATCH=, xrefs: 00891170

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0
API String ID: 0-2825879562
Opcode ID: 6a8b090b0e2a7e23e28475f31ae2d8931b87435b3b11cf31891e76f0afd96146
Instruction ID: 91b73ae3022453e8770a925ed33b3ab1c6d3084176adcb41e3e2f5a6d84826f2
Opcode Fuzzy Hash: 6a8b090b0e2a7e23e28475f31ae2d8931b87435b3b11cf31891e76f0afd96146
Instruction Fuzzy Hash: 6572A175E0421ADBDF14DF58C8807AEB7B5FF48315F54816AE949EB280EB309E85CB90

Function 008A001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008A0097
SetKeyboardState.USER32(?), ref: 008A0102
GetAsyncKeyState.USER32(000000A0), ref: 008A0122
GetKeyState.USER32(000000A0), ref: 008A0139
GetAsyncKeyState.USER32(000000A1), ref: 008A0168
GetKeyState.USER32(000000A1), ref: 008A0179
GetAsyncKeyState.USER32(00000011), ref: 008A01A5
GetKeyState.USER32(00000011), ref: 008A01B3
GetAsyncKeyState.USER32(00000012), ref: 008A01DC
GetKeyState.USER32(00000012), ref: 008A01EA
GetAsyncKeyState.USER32(0000005B), ref: 008A0213
GetKeyState.USER32(0000005B), ref: 008A0221

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 31178ea658400016c0a9b93ad5d761ddda8c8d17788a4062e522f781b2195986
Instruction ID: 624d1c7590eb1c0cc6c978be53fcc5a00ebd747678c3e6c8f4c84e2567c9adc1
Opcode Fuzzy Hash: 31178ea658400016c0a9b93ad5d761ddda8c8d17788a4062e522f781b2195986
Instruction Fuzzy Hash: 1651CB2090478819FF35DBA488547EABFB4FF13380F08459995C19B9C3DAA49B8CCF62

Function 008C03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C04AC

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008C054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008C05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 008C0822
RegCloseKey.ADVAPI32(00000000), ref: 008C082F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4d0cb788a9689f606ae66aa409a3786e3c617bb303ebaedf800565a339cb184b
Instruction ID: 8fecccb990ecb643476570593bd2db2ae18a88a76c79a6171bba835b6d811804
Opcode Fuzzy Hash: 4d0cb788a9689f606ae66aa409a3786e3c617bb303ebaedf800565a339cb184b
Instruction Fuzzy Hash: 19E13B71204214EFCB14DF28C891E2ABBF5FF89754B04856DF94ADB262DA31E905CF92

Function 008B4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008B418B
EmptyClipboard.USER32 ref: 008B4191
GlobalAlloc.KERNEL32(00000002,?), ref: 008B41A6
CloseClipboard.USER32 ref: 008B4245

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5994cf3c91f2514377373456cb7c1c01f2413b87dc85bdd8dcb3e2494a113d83
Instruction ID: ea5012f7d886fcb89268465c4a2d83a937299ab3dc8e1393b6eaba81cd22083a
Opcode Fuzzy Hash: 5994cf3c91f2514377373456cb7c1c01f2413b87dc85bdd8dcb3e2494a113d83
Instruction Fuzzy Hash: D62171356002159FEB10AF68DC09F6A7BB9FF54711F158025FA45DB3A2DB30AC01CB55

Function 008A37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770

Part of subcall function 008A4A31: GetFileAttributesW.KERNEL32(?,008A370B), ref: 008A4A32

FindFirstFileW.KERNEL32(?,?), ref: 008A38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008A394B
MoveFileW.KERNEL32(?,?), ref: 008A395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008A397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 008A399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 008A39B9

Strings

\*.*, xrefs: 008A384E, 008A3857, 008A386C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: fcf1986f1479e0326979b9a06c6ae75e70fc4252572e279101af1747b246f2da
Instruction ID: dd2d4194288d0c5551aa7fe46aa50f50c3101d14440213697048708b73f994e5
Opcode Fuzzy Hash: fcf1986f1479e0326979b9a06c6ae75e70fc4252572e279101af1747b246f2da
Instruction Fuzzy Hash: 7251703180514CAADF01EBA4D992DEEBB79FF16300F640069F406F6592EB316F09CB52

Function 008AF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008AF440
Sleep.KERNEL32(0000000A), ref: 008AF470
_wcscmp.LIBCMT ref: 008AF484
_wcscmp.LIBCMT ref: 008AF49F
FindNextFileW.KERNEL32(?,?), ref: 008AF53D
FindClose.KERNEL32(00000000), ref: 008AF553

Strings

*.*, xrefs: 008AF425

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: c56f85916c09a3668b3efb622d4fbd5d5446817aa88e9ffc808a97ddd83dbeed
Instruction ID: 7de922a256a12bfc656dc37d3cff8d45f3ab59c7e7e898eb7e414e36fcf5526d
Opcode Fuzzy Hash: c56f85916c09a3668b3efb622d4fbd5d5446817aa88e9ffc808a97ddd83dbeed
Instruction Fuzzy Hash: C0414B71D0021EABEF14DFA8DC59AEEBBB4FF05310F144566E915E2292EB309E44CB51

Function 00855760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008558A5
_memmove.LIBCMT ref: 008558F5
_memmove.LIBCMT ref: 0085595B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 25356b42e7e924f31a6d3e996581fa94f99e234c8fe6e6ef41819b3019ec9022
Instruction ID: 5c989bcebe0253a1b0a0497b6003a180cab43f740801a099da5d383a0b9ad894
Opcode Fuzzy Hash: 25356b42e7e924f31a6d3e996581fa94f99e234c8fe6e6ef41819b3019ec9022
Instruction Fuzzy Hash: B112AA70A00A09EFCF04DFA8D991AAEB7F5FF48300F144529E846E7251EB36AD24CB55

Function 008A3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770

Part of subcall function 008A4A31: GetFileAttributesW.KERNEL32(?,008A370B), ref: 008A4A32

FindFirstFileW.KERNEL32(?,?), ref: 008A3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 008A3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 008A3BEA
FindClose.KERNEL32(00000000), ref: 008A3C01
FindClose.KERNEL32(00000000), ref: 008A3C0A

Strings

\*.*, xrefs: 008A3B5B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4194bd1be73baf006b96e2cf2a94c6691c4d4b9b6e733d010db5a08f8b3e3814
Instruction ID: 644014805ede1d7334fe3a20a6d3f063b9474efef212ff57b3485aff87dcd8a5
Opcode Fuzzy Hash: 4194bd1be73baf006b96e2cf2a94c6691c4d4b9b6e733d010db5a08f8b3e3814
Instruction Fuzzy Hash: C7316F310083899BD301EF28D895DAFBBA9FE92314F404D2DF4D5D2192EB359A09C763

Function 008A51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0089882B
Part of subcall function 008987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00898858
Part of subcall function 008987E1: GetLastError.KERNEL32 ref: 00898865

ExitWindowsEx.USER32(?,00000000), ref: 008A51F9

Strings

SeShutdownPrivilege, xrefs: 008A51C9
, xrefs: 008A51E7
@, xrefs: 008A51EC

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: f53858cde8f356d233297a80a0b5b0c4615cc2bc8a8856a960e548ac3d8ba490
Instruction ID: d30f63fa91f3ca6556c7bec9193ed1df9474576b0e4139a4c792776b498f17e9
Opcode Fuzzy Hash: f53858cde8f356d233297a80a0b5b0c4615cc2bc8a8856a960e548ac3d8ba490
Instruction Fuzzy Hash: 8D012B317916156BF72862789C8AFBB7298FB07754F240431FA23E28D2DA611C808590

Function 008B6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008B62DC
WSAGetLastError.WSOCK32(00000000), ref: 008B62EB
bind.WSOCK32(00000000,?,00000010), ref: 008B6307
listen.WSOCK32(00000000,00000005), ref: 008B6316
WSAGetLastError.WSOCK32(00000000), ref: 008B6330
closesocket.WSOCK32(00000000,00000000), ref: 008B6344

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ca4393113848827d2f9b7af2fc162b4e15d2ca2844bb3621b5e72a67c96b2e71
Instruction ID: 448a499363b79471420cf90d97c531d2394a02893f0d9c03da3c4b56aec9324c
Opcode Fuzzy Hash: ca4393113848827d2f9b7af2fc162b4e15d2ca2844bb3621b5e72a67c96b2e71
Instruction Fuzzy Hash: E4219E316002089FDB10EF68D845EAEB7F9FF48720F144169E956E7392D774AD11CB52

Function 00855520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01

_memmove.LIBCMT ref: 00890258
_memmove.LIBCMT ref: 0089036D
_memmove.LIBCMT ref: 00890414

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: fea600fdbe3bc90c066203976eb759f24e26353aa2e2030ed7b253e7220b4359
Instruction ID: 6bb9d8f4b782ead0e0f5bf196cdc50af36162a6b15acdb98378fc33641dabc37
Opcode Fuzzy Hash: fea600fdbe3bc90c066203976eb759f24e26353aa2e2030ed7b253e7220b4359
Instruction Fuzzy Hash: 1B029DB0A00209DFCF04EF68D991AAEBBF5FF44304F158069E80ADB255EB35D954CB96

Function 00841287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

DefDlgProcW.USER32(?,?,?,?,?), ref: 008419FA
GetSysColor.USER32(0000000F), ref: 00841A4E
SetBkColor.GDI32(?,00000000), ref: 00841A61

Part of subcall function 00841290: DefDlgProcW.USER32(?,00000020,?), ref: 008412D8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 742a28af6b7eb505f59233ec5a2700006bf97c84919d06165694b0ee30210fee
Instruction ID: 433b678b1fe97d128287db3b355b85c9a1bb2d3a096bc5bb054bee67a709b52b
Opcode Fuzzy Hash: 742a28af6b7eb505f59233ec5a2700006bf97c84919d06165694b0ee30210fee
Instruction Fuzzy Hash: BFA1587111656CBEEE28EE2C8C4CF7F3D6EFB41749B14411AF606D2196EB20CD8096B2

Function 008ABCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008ABCE6
_wcscmp.LIBCMT ref: 008ABD16
_wcscmp.LIBCMT ref: 008ABD2B
FindNextFileW.KERNEL32(00000000,?), ref: 008ABD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 008ABD6C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c37cc53b78ee6b302deccf95f85b45a789a0564ad8250698f884b07f52291216
Instruction ID: 6f356f1f8211032158fc185c8ec2a9064fd6b28832af6b1cdb86d304623f67d0
Opcode Fuzzy Hash: c37cc53b78ee6b302deccf95f85b45a789a0564ad8250698f884b07f52291216
Instruction Fuzzy Hash: 26518D356046059FE714DF68C490EAAB7E4FF4A324F10462DE956C77A2DB30ED04CB92

Function 008B6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008B7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008B679E
WSAGetLastError.WSOCK32(00000000), ref: 008B67C7
bind.WSOCK32(00000000,?,00000010), ref: 008B6800
WSAGetLastError.WSOCK32(00000000), ref: 008B680D
closesocket.WSOCK32(00000000,00000000), ref: 008B6821

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d2a69c4a64b518ff05a6fa8c37a812dc141073b5059359530f17fbacb4f4b4f3
Instruction ID: eff2d8fb1e8cc0f245f2a6445a56db6c2bd3b2996724e6edf9185fd315826069
Opcode Fuzzy Hash: d2a69c4a64b518ff05a6fa8c37a812dc141073b5059359530f17fbacb4f4b4f3
Instruction Fuzzy Hash: 69419675A00218AFDB60BF288C86F6E77A4FF45714F044568FA59EB3D3DA749D008792

Function 008C5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008C53C5
IsWindowEnabled.USER32 ref: 008C53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 008C53E0
IsIconic.USER32 ref: 008C53EE
IsZoomed.USER32 ref: 008C53FC

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a72fcbf367ce0bf7ca0d6d116361d269ff53cd2cf5c76aa54469976e6cd47199
Instruction ID: 8b04f7e398870808a7df0bbcb4ecdb793f71b54fb481d2dbf9be076710291e00
Opcode Fuzzy Hash: a72fcbf367ce0bf7ca0d6d116361d269ff53cd2cf5c76aa54469976e6cd47199
Instruction Fuzzy Hash: 7911B2313009556BEF216F2A9C44F6B7BB9FF857A1B40803CF946D3242DBB0ED4186A5

Function 008980A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008980C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008980CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008980D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008980E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008980F6

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 301424c3a20ace0ea814e8200d53d4db25d98e309bf5686c33397e0233ad8424
Instruction ID: d4af4b41f3ad9d154516af20d790b0751dd2310d490ca26e2835809c6f4907ae
Opcode Fuzzy Hash: 301424c3a20ace0ea814e8200d53d4db25d98e309bf5686c33397e0233ad8424
Instruction Fuzzy Hash: 09F04F31240205EFEB115FA5EC8DE673BBDFF4A755B04002AFA46D6151CB719C41DA60

Function 008AC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008AC432
CoCreateInstance.OLE32(008D2D6C,00000000,00000001,008D2BDC,?), ref: 008AC44A

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

CoUninitialize.OLE32 ref: 008AC6B7

Strings

.lnk, xrefs: 008AC3C6, 008AC3EE, 008AC3F8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 7aaaa45d86b2d2ce09acb86a843a20116205e1247b65ab369812a84f87ad0f5a
Instruction ID: 3a7007ebfcdc677a7bd2e83d81ce1df77729523f327aaac4900a06d4191d7da8
Opcode Fuzzy Hash: 7aaaa45d86b2d2ce09acb86a843a20116205e1247b65ab369812a84f87ad0f5a
Instruction Fuzzy Hash: 49A11A71104209AFD700EF58C881EAFB7A8FF99354F00492DF195D7192EB71E909CB62

Function 00844B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00844AD0), ref: 00844B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00844B57

Strings

GetNativeSystemInfo, xrefs: 00844B51
kernel32.dll, xrefs: 00844B40

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 25322fb02d6bf83de5e5a5f7c5202e860a14770cd99563be43b7e6358681051a
Instruction ID: c364b45e069bd348a99d578221db66abb66e5c02649cee65e4736bb2edc59aa3
Opcode Fuzzy Hash: 25322fb02d6bf83de5e5a5f7c5202e860a14770cd99563be43b7e6358681051a
Instruction Fuzzy Hash: 14D0C730A00B17CFE7208F72E828F02B2F6FF003A0B14C83EA592D2250E774E880CA14

Function 00853030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: f8b25bee29d274088bd6c56d0cf541e6067b5d16d0ccf111ef41a3e31f46a60f
Instruction ID: 3b8e57510b34ec4c747258ecb47bfc73c582c5025af1b6f9ab6b27d5db809377
Opcode Fuzzy Hash: f8b25bee29d274088bd6c56d0cf541e6067b5d16d0ccf111ef41a3e31f46a60f
Instruction Fuzzy Hash: A72267716083049BC724EF28C891B6AB7E5FF84354F14492DF99AD7291EB71E908CB92

Function 008BEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008BEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 008BEE4B

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Process32NextW.KERNEL32(00000000,?), ref: 008BEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 008BEF1A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: cedde2ea168fcb0feb12134ca933550a549645bcea35c3d985cd85bec1a6abf1
Instruction ID: b066818754afed489887d460ebc94172052f9e1f69cb1420b3d2cb9a0204e14d
Opcode Fuzzy Hash: cedde2ea168fcb0feb12134ca933550a549645bcea35c3d985cd85bec1a6abf1
Instruction Fuzzy Hash: A2514D71504715AFD320EF28D885EABBBE8FF94710F50482DF595D72A2EB70A904CB92

Function 0089E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0089E628

Strings

|, xrefs: 0089E658
(, xrefs: 0089E66E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 720716828a07cf725bec3283e5dee1a333429858461512fe2c46c3b2a666e17d
Instruction ID: 6e514308e454298dcf9b3d69d4998309cb481605ba37a4222f32687948f1e205
Opcode Fuzzy Hash: 720716828a07cf725bec3283e5dee1a333429858461512fe2c46c3b2a666e17d
Instruction Fuzzy Hash: 99323575A007059FDB28DF59C48096ABBF1FF58320B15C56EE89ADB3A1E770E941CB40

Function 008B22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008B180A,00000000), ref: 008B23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 008B2418

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 9f1c9b8191dd045a33b6a6ff9882c8c105d46af8c21b0dc9db47d8749f092afd
Instruction ID: 1f1130058eaf4e55232a7789a250180254298b10f92cbfa13ba0a0fb7c512491
Opcode Fuzzy Hash: 9f1c9b8191dd045a33b6a6ff9882c8c105d46af8c21b0dc9db47d8749f092afd
Instruction Fuzzy Hash: 2441F271A00209BFEB109E99DC81EFFB7FCFB44324F10406AF601E6751DA759E419A65

Function 008AB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008AB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008AB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008AB4B2

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1da06e339fa7c2b984a40efed2b3c022fe4bd76542aa25ebe01642920c097b54
Instruction ID: a26b4b789a408ab8eeef35490fe0335bb31ed7039f9a98fb85d1dc71952af905
Opcode Fuzzy Hash: 1da06e339fa7c2b984a40efed2b3c022fe4bd76542aa25ebe01642920c097b54
Instruction Fuzzy Hash: C9216235A00108DFDB00EFA9D880EEEBBB8FF49314F1480AAE945EB352DB319915CB51

Function 008987E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0089882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00898858
GetLastError.KERNEL32 ref: 00898865

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: d7a9e39268260e9847b6c7adc42d4c158d505b2fde8691f84537fb694b537923
Instruction ID: 12d243dbefd6ee33111692ed59b9b96e284d7fa7389ffa8f4e840f808351cc4b
Opcode Fuzzy Hash: d7a9e39268260e9847b6c7adc42d4c158d505b2fde8691f84537fb694b537923
Instruction Fuzzy Hash: 9C118FB2514205AFEB18EFA4DC85D6BB7F9FB45710B24862EF455D7241EB30BC408B60

Function 0089874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00898774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0089878B
FreeSid.ADVAPI32(?), ref: 0089879B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4916f0c6955f774f751d4a6163600e1eb1a91aa7b758cc8dc4eb27bd99d8a92d
Instruction ID: 318609c8bdd96ac315eef26f1aef05882d6f744b7be153801176cf508cd3bcfc
Opcode Fuzzy Hash: 4916f0c6955f774f751d4a6163600e1eb1a91aa7b758cc8dc4eb27bd99d8a92d
Instruction Fuzzy Hash: C9F03C75911209BBEF00DFE49C89EADB7B9FF08601F104469AA01E2182D7715A048B50

Function 008AC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008AC6FB
FindClose.KERNEL32(00000000), ref: 008AC72B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d504cb2cb598b7a8540455b66d409636ef2b774442dedb67617ef47d5262930d
Instruction ID: e6f11e77739477e1e2fa91ef9c79b724a3c667ef78d674108bc080213efbd9af
Opcode Fuzzy Hash: d504cb2cb598b7a8540455b66d409636ef2b774442dedb67617ef47d5262930d
Instruction Fuzzy Hash: 35115E726006049FDB10EF2DD845A2AF7E9FF85324F04852EF9A9D7291DB30A805CF81

Function 008AA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,008B9468,?,008CFB84,?), ref: 008AA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,008B9468,?,008CFB84,?), ref: 008AA0A9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2988a6b6ccc805819f9bda5c9fb48ec794f1e0770423385987e19b6fbf8df3df
Instruction ID: 9069e496c6fe05f766021efd3dc555d681f0f89aeb094c084b5f7ae6da8c07ff
Opcode Fuzzy Hash: 2988a6b6ccc805819f9bda5c9fb48ec794f1e0770423385987e19b6fbf8df3df
Instruction Fuzzy Hash: C1F0823551522DBBEB619FA8CC48FEA776DFF09361F008165F909D6581D7309940CBA2

Function 008981CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00898309), ref: 008981E0
CloseHandle.KERNEL32(?,?,00898309), ref: 008981F2

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 167ce94059fa0d4fd2ea4b3ee37672fa49af1e5383f6d04ec97a694619f78d9b
Instruction ID: 8d3ff3ffaf2694f66efb0b0c2230b424c7a2ab0c641edc50f9581b9225dbf512
Opcode Fuzzy Hash: 167ce94059fa0d4fd2ea4b3ee37672fa49af1e5383f6d04ec97a694619f78d9b
Instruction Fuzzy Hash: 0CE0B672010A21AFEB252B65EC09D777BAAFB04310B15882AB9A6C4471DB72AC91DB14

Function 0086A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00868D57,?,?,?,00000001), ref: 0086A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0086A163

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5fc794624640f5ce73385fe5a862535f7ebe6b9ea3becf2fcd189acb61aa7382
Instruction ID: 5ce5849bd157ad6909b2731fd587cc9801fd180865b8ba21bddf13145566f97f
Opcode Fuzzy Hash: 5fc794624640f5ce73385fe5a862535f7ebe6b9ea3becf2fcd189acb61aa7382
Instruction Fuzzy Hash: 29B09231054248BBEA002BA1EC09F883F7AFB84AA2F404020FB0D84262CB7256508A91

Function 0084E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00883E62

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 8c2ec3b1013d2bc475e2d78fa3cd73e23b74cb3b191d149d193dd0ec52668fe1
Instruction ID: 71a42c3e90b94a67d6c9d4df8243061c543c258f23337f8499ed927255368789
Opcode Fuzzy Hash: 8c2ec3b1013d2bc475e2d78fa3cd73e23b74cb3b191d149d193dd0ec52668fe1
Instruction Fuzzy Hash: 3CA28A75A0021DCFCB24CF58C480AAAB7B2FF58314F248469E955EB352D775ED82CB91

Function 0086F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c813785f846c8ba5cf3b79d4d847a719a40e4116b94a72b563d2de32556ab272
Instruction ID: ee2a8d2bf42b12724509683933f622f8251568495f79ca3f10918ad3baa48430
Opcode Fuzzy Hash: c813785f846c8ba5cf3b79d4d847a719a40e4116b94a72b563d2de32556ab272
Instruction Fuzzy Hash: 5E32E222D2AF414DD7239634E822336A749FFB73D5F55D737E81AB5AA6EB28C4834100

Function 0087242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc4298ae718ce8f0c9a5002d88e0c4510e81f6a142e91a889bf2475052c56dd
Instruction ID: 7e7ae076a71354d6cc0b18102240bba96849237eeaafdb8bfdb032ee178ba8c0
Opcode Fuzzy Hash: 6bc4298ae718ce8f0c9a5002d88e0c4510e81f6a142e91a889bf2475052c56dd
Instruction Fuzzy Hash: A1B1EF20D2AF404DD22796398831336BB5DBFBB2D5F61D71BFC2A70E26EB2185834141

Function 008A8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 008A889B

Part of subcall function 0086520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008A8F6E,00000000,?,?,?,?,008A911F,00000000,?), ref: 00865213
Part of subcall function 0086520A: __aulldiv.LIBCMT ref: 00865233

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: d3e34e2d924c31e319381dff3884661242461ff5050a481ce766186326f2866b
Instruction ID: b456d51ba7f898f0d5eb4bd92ee0187bd71c3122308e88891623ad68ecc2e69e
Opcode Fuzzy Hash: d3e34e2d924c31e319381dff3884661242461ff5050a481ce766186326f2866b
Instruction Fuzzy Hash: 5E21AF32639610CFD729CF29D841A52B3E5EBA5311B688E6CE0F5CB2C0CF74A905DB54

Function 008A4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008A4C4A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6505650bc739473b910ecda6a907b199cb850519e93f16f807600e97efc73fd9
Instruction ID: edea11bffd3b1a2dada725bd6b60b68125b92a57631817d1d0b1af44a58bf53d
Opcode Fuzzy Hash: 6505650bc739473b910ecda6a907b199cb850519e93f16f807600e97efc73fd9
Instruction Fuzzy Hash: 70D05E9916520D78FC1C07209E0FF7A4108F3C27B6FD0B1497209CA8C2ECF06C416031

Function 008987B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00898389), ref: 008987D1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0c40a805a0834b2589c4cedded80f344c67f6f38a3a6906f1524c698b97d856e
Instruction ID: f262d7884f9e18ae61fe62214edc7b0beabae58160b891ee2f47e3416c035472
Opcode Fuzzy Hash: 0c40a805a0834b2589c4cedded80f344c67f6f38a3a6906f1524c698b97d856e
Instruction Fuzzy Hash: 3BD09E3226490EABEF019EA4DD05EAE3B6AEB04B01F408511FE15D51A1C775D935AB60

Function 0086A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0086A12A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dfa3ef8bf9381c8a7c1869cda7f58076c95b790eb82ebdb88adb02dd19fbe19e
Instruction ID: 566df0e4bc940a9270fbddd293c53d90b287388d9be25460450d360350e33ff0
Opcode Fuzzy Hash: dfa3ef8bf9381c8a7c1869cda7f58076c95b790eb82ebdb88adb02dd19fbe19e
Instruction Fuzzy Hash: 52A0123000010CB78A001B51EC048447F6DE640190B004020F50C40122873255104580

Function 00858808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9364118d9f00e1aa43d9ce942d5e23f799da16d77d7f4d0cade6e59ff8d0a66
Instruction ID: 510cfc21f741d7b8ddd43f41dc7c6c8a3bb29847a739352980c9f6deab181d30
Opcode Fuzzy Hash: b9364118d9f00e1aa43d9ce942d5e23f799da16d77d7f4d0cade6e59ff8d0a66
Instruction Fuzzy Hash: 6F22563060451ACBDF3A9B64C49477C7BA2FF4134AF28806BDD82EB592DB709C99C742

Function 008621C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 44e3d6e7e8e0d2c67ab4f7342420abce14945623783e25a3e2565ca3f2911cb5
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 36C160322055930ADF6D4639847803EFAA1BEA27B131B07ADD8B3CF1D5EE20C965D720

Function 008625FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 263e81b3552d3ae1ea8ef34f865b40c8c8864ddd3968c6e0d5df536aa5a7313c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 01C152322055930ADF6D463AC47453EBAA1BEA27B131F07ADD4B2DF1D5EE20C925E720

Function 00861D90 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 09ab20130c37da5d6c4ac5f32b8583b7bfa338b54342ea76922f19a393e25943
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 6DC183322095930ADF6D4639847803EBAA1FEA27B131F07ADD4B2DF1D6EE10D925D720

Function 00861978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ea1e02c2eb65f2f4ff20209ecdc83db9bd428e6160710bdf258c3208777dc677
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: F9C1623220519309DF6D463A847813EBAA1FEA27B231F176DD4B2CF1D6EE20C965D760

Function 008B7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008B785B
DeleteObject.GDI32(00000000), ref: 008B786D
DestroyWindow.USER32 ref: 008B787B
GetDesktopWindow.USER32 ref: 008B7895
GetWindowRect.USER32(00000000), ref: 008B789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008B79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008B79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7A35
GetClientRect.USER32(00000000,?), ref: 008B7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008B7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7ABB
GlobalLock.KERNEL32(00000000), ref: 008B7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7AD3
GlobalUnlock.KERNEL32(00000000), ref: 008B7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7AE3
GlobalFree.KERNEL32(00000000), ref: 008B7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,008D2CAC,00000000), ref: 008B7B16
GlobalFree.KERNEL32(00000000), ref: 008B7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 008B7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 008B7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008B7D7A

Strings

static, xrefs: 008B7A75, 008B7BCC
, xrefs: 008B7D00
AutoIt v3, xrefs: 008B7A2D
DISPLAY, xrefs: 008B7BDD

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a6903321cbebabb003423580487d0e7f509663546999df88f2c96fb15b9b5207
Instruction ID: 367a874e1171e5d94e7149ce548dd64eebf38c68af17ab5a4f60200960790964
Opcode Fuzzy Hash: a6903321cbebabb003423580487d0e7f509663546999df88f2c96fb15b9b5207
Instruction Fuzzy Hash: 52022B71910219AFDB14DFA8DC89EAE7BB9FF48310F148169F915EB2A1C774AD01CB60

Function 008C356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,008CF910), ref: 008C3627
IsWindowVisible.USER32(?), ref: 008C364B

Strings

TABRIGHT, xrefs: 008C369D
SETCURRENTSELECTION, xrefs: 008C37B6
SELECTSTRING, xrefs: 008C3806
GETLINE, xrefs: 008C399B
CHECK, xrefs: 008C386D
EDITPASTE, xrefs: 008C395F
ISENABLED, xrefs: 008C366B
FINDSTRING, xrefs: 008C3776
GETCURRENTLINE, xrefs: 008C38ED
ISVISIBLE, xrefs: 008C3637
HIDEDROPDOWN, xrefs: 008C3700
ADDSTRING, xrefs: 008C3716
GETCURRENTCOL, xrefs: 008C3928
GETLINECOUNT, xrefs: 008C38C6
SENDCOMMANDID, xrefs: 008C39DA
GETCURRENTSELECTION, xrefs: 008C37E3
UNCHECK, xrefs: 008C3883
CURRENTTAB, xrefs: 008C36BD
GETSELECTED, xrefs: 008C38A3
DELSTRING, xrefs: 008C3749
SHOWDROPDOWN, xrefs: 008C36E0
TABLEFT, xrefs: 008C3687
ISCHECKED, xrefs: 008C3839

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 0f2d69a8f0835a13ba002a9f8624864bb0aa27154f7811d5ed8caa32c6f098a0
Instruction ID: 0fd19fa37dabc053d9e38ed57632c8bf4dd7cb366b37d4c5d4bb87cad9b6b4e8
Opcode Fuzzy Hash: 0f2d69a8f0835a13ba002a9f8624864bb0aa27154f7811d5ed8caa32c6f098a0
Instruction Fuzzy Hash: 40D159302043159BCA14EF68C451F6E7BA1FF95394F15846CF9C6DB2A2DB31EA0ADB42

Function 008CA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008CA630
GetSysColorBrush.USER32(0000000F), ref: 008CA661
GetSysColor.USER32(0000000F), ref: 008CA66D
SetBkColor.GDI32(?,000000FF), ref: 008CA687
SelectObject.GDI32(?,00000000), ref: 008CA696
InflateRect.USER32(?,000000FF,000000FF), ref: 008CA6C1
GetSysColor.USER32(00000010), ref: 008CA6C9
CreateSolidBrush.GDI32(00000000), ref: 008CA6D0
FrameRect.USER32(?,?,00000000), ref: 008CA6DF
DeleteObject.GDI32(00000000), ref: 008CA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 008CA731
FillRect.USER32(?,?,00000000), ref: 008CA763
GetWindowLongW.USER32(?,000000F0), ref: 008CA78E

Part of subcall function 008CA8CA: GetSysColor.USER32(00000012), ref: 008CA903
Part of subcall function 008CA8CA: SetTextColor.GDI32(?,?), ref: 008CA907
Part of subcall function 008CA8CA: GetSysColorBrush.USER32(0000000F), ref: 008CA91D
Part of subcall function 008CA8CA: GetSysColor.USER32(0000000F), ref: 008CA928
Part of subcall function 008CA8CA: GetSysColor.USER32(00000011), ref: 008CA945
Part of subcall function 008CA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008CA953
Part of subcall function 008CA8CA: SelectObject.GDI32(?,00000000), ref: 008CA964
Part of subcall function 008CA8CA: SetBkColor.GDI32(?,00000000), ref: 008CA96D
Part of subcall function 008CA8CA: SelectObject.GDI32(?,?), ref: 008CA97A
Part of subcall function 008CA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 008CA999
Part of subcall function 008CA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008CA9B0
Part of subcall function 008CA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 008CA9C5
Part of subcall function 008CA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008CA9ED

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 82a57cf509fe27379b25752dfe4201e6d80e0eecc52defa06c1b108bd24a5743
Instruction ID: bd5981d0a017bee8daee65bc999b45d1cf4a1b54e7ae46b8fd91aee86bcae5be
Opcode Fuzzy Hash: 82a57cf509fe27379b25752dfe4201e6d80e0eecc52defa06c1b108bd24a5743
Instruction Fuzzy Hash: 2D915A72008305EFE7119F64DC08E5B7BBAFB88325F144A29FAA2D61A2D771D944CB52

Function 00842C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00842CA2
DeleteObject.GDI32(00000000), ref: 00842CE8
DeleteObject.GDI32(00000000), ref: 00842CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00842CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00842D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0087C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0087C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0087C89D

Part of subcall function 00841B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00842036,?,00000000,?,?,?,?,008416CB,00000000,?), ref: 00841B9A

SendMessageW.USER32(?,00001053), ref: 0087C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0087C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0087C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0087C912

Strings

0, xrefs: 0087C731

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: ae4e3eb45835bc046d2d10f577cbca281ea59d120c07d79dc341410aa62113a8
Instruction ID: c8dfe829311aae3a3468f0c0e0ff560825c9949908c937ccedcb6971c31f1023
Opcode Fuzzy Hash: ae4e3eb45835bc046d2d10f577cbca281ea59d120c07d79dc341410aa62113a8
Instruction Fuzzy Hash: 91128C30604205EFDB25CF28C884BA9BBE5FF54314F5485ADF999CB266CB31E842DB91

Function 008B74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008B74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008B759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008B75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008B75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 008B7633
GetClientRect.USER32(00000000,?), ref: 008B763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 008B7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008B7692
GetStockObject.GDI32(00000011), ref: 008B76A2
SelectObject.GDI32(00000000,00000000), ref: 008B76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008B76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008B76BF
DeleteDC.GDI32(00000000), ref: 008B76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008B76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 008B770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 008B7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008B775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 008B776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 008B779B
GetStockObject.GDI32(00000011), ref: 008B77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008B77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008B77BB

Strings

static, xrefs: 008B767D, 008B7795
AutoIt v3, xrefs: 008B762B
DISPLAY, xrefs: 008B7688
msctls_progress32, xrefs: 008B773C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e6d012cf3e28f4ade707b49d628b66e96d47b329c915aaa39b951f644c3590c8
Instruction ID: b06753630769cd0bceef46c71c2c792c09aafbdd9fdbeb014047256c11055aaa
Opcode Fuzzy Hash: e6d012cf3e28f4ade707b49d628b66e96d47b329c915aaa39b951f644c3590c8
Instruction Fuzzy Hash: 7DA14F71A50619BFEB249BA8DC4AFAB7BBAFF44710F004115FA15E72E1C670AD00CB64

Function 008AAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008AAD1E
GetDriveTypeW.KERNEL32(?,008CFAC0,?,\\.\,008CF910), ref: 008AADFB
SetErrorMode.KERNEL32(00000000,008CFAC0,?,\\.\,008CF910), ref: 008AAF59

Strings

CDROM, xrefs: 008AAE2F
FileBackedVirtual, xrefs: 008AAF28
ATA, xrefs: 008AAED4
Removable, xrefs: 008AAE4D
SCSI, xrefs: 008AAEC6
iSCSI, xrefs: 008AAEFE
\\.\, xrefs: 008AAD70
1394, xrefs: 008AAEDB
RAID, xrefs: 008AAEF7
Unknown, xrefs: 008AAE1B, 008AAEBF
SSA, xrefs: 008AAEE2
USB, xrefs: 008AAEF0
Virtual, xrefs: 008AAF21
RAMDisk, xrefs: 008AAE25
Fixed, xrefs: 008AAE43
PhysicalDrive, xrefs: 008AADA7
Fibre, xrefs: 008AAEE9
SSD, xrefs: 008AAE86
Network, xrefs: 008AAE39
MMC, xrefs: 008AAF1A
SAS, xrefs: 008AAF05
ATAPI, xrefs: 008AAECD
SATA, xrefs: 008AAF0C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f98a055412d161d7d7ec4506bb55fde5daa8d1e3bc84670d859fe3971269b5ed
Instruction ID: c516e92f1bebeb4a5ddcb57ff78fd0dedf85443880bc05848b0a50f3b62d8c9a
Opcode Fuzzy Hash: f98a055412d161d7d7ec4506bb55fde5daa8d1e3bc84670d859fe3971269b5ed
Instruction Fuzzy Hash: D7518AB064820DEFAB1CEB24D982CB9B3A1FB0A718B204057E516E6E91DF359D05DB53

Function 008468DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00846931
__wcsnicmp.LIBCMT ref: 00846949
__wcsnicmp.LIBCMT ref: 00846961
__wcsnicmp.LIBCMT ref: 00846979
__wcsnicmp.LIBCMT ref: 00846991
__wcsnicmp.LIBCMT ref: 008469A9
__wcsnicmp.LIBCMT ref: 008469C1
__wcsnicmp.LIBCMT ref: 008469D5
__wcsnicmp.LIBCMT ref: 00846A16
__wcsnicmp.LIBCMT ref: 00846A2A
__wcsnicmp.LIBCMT ref: 00846A3E
__wcsnicmp.LIBCMT ref: 00846A52

Strings

#include-once, xrefs: 0084698B
#ce, xrefs: 00846A4C
#cs, xrefs: 008469CF, 00846A24
#pragma compile, xrefs: 0084692B
#include, xrefs: 008469A3
Unterminated group of comments, xrefs: 0087E403
#requireadmin, xrefs: 0084695B
Bad directive syntax error, xrefs: 0087E31A
#OnAutoItStartRegister, xrefs: 00846973
#comments-end, xrefs: 00846A38
Cannot parse #include, xrefs: 0087E3F0
#notrayicon, xrefs: 00846943
#comments-start, xrefs: 008469BB, 00846A10

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: fd52254e0428a79cd1c9e74674e825837bf32253b83118d57dc0c1f726dd01c2
Instruction ID: 75555a4c9de753fa543adacefc95d2ec926f032e2760a7b0ac71f51551feb171
Opcode Fuzzy Hash: fd52254e0428a79cd1c9e74674e825837bf32253b83118d57dc0c1f726dd01c2
Instruction Fuzzy Hash: B78117B060061DAADB10AB64EC42FAF3B68FF16714F044025F905EA296FB74DE65C663

Function 008CA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008CA903
SetTextColor.GDI32(?,?), ref: 008CA907
GetSysColorBrush.USER32(0000000F), ref: 008CA91D
GetSysColor.USER32(0000000F), ref: 008CA928
CreateSolidBrush.GDI32(?), ref: 008CA92D
GetSysColor.USER32(00000011), ref: 008CA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008CA953
SelectObject.GDI32(?,00000000), ref: 008CA964
SetBkColor.GDI32(?,00000000), ref: 008CA96D
SelectObject.GDI32(?,?), ref: 008CA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 008CA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008CA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 008CA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008CA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008CAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 008CAA32
DrawFocusRect.USER32(?,?), ref: 008CAA3D
GetSysColor.USER32(00000011), ref: 008CAA4B
SetTextColor.GDI32(?,00000000), ref: 008CAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 008CAA67
SelectObject.GDI32(?,008CA5FA), ref: 008CAA7E
DeleteObject.GDI32(?), ref: 008CAA89
SelectObject.GDI32(?,?), ref: 008CAA8F
DeleteObject.GDI32(?), ref: 008CAA94
SetTextColor.GDI32(?,?), ref: 008CAA9A
SetBkColor.GDI32(?,?), ref: 008CAAA4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2fee844cf223a9e5d2c4addece6825fb2615ac668704b3712f040ac8d1837bc1
Instruction ID: cf01569f50d1706b1d54256220cad93a9635cabfbb1155f44cf22457d1693d90
Opcode Fuzzy Hash: 2fee844cf223a9e5d2c4addece6825fb2615ac668704b3712f040ac8d1837bc1
Instruction Fuzzy Hash: 0D512C71900218EFEB119FA4DC49EAE7B7AFB08320F154625FA11AB2A2D7719940DF90

Function 008C89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008C8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008C8AD2
CharNextW.USER32(0000014E), ref: 008C8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008C8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008C8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008C8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 008C8B86
SetWindowTextW.USER32(?,0000014E), ref: 008C8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 008C8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 008C8C1F
_memset.LIBCMT ref: 008C8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 008C8C8D
_memset.LIBCMT ref: 008C8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 008C8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 008C8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 008C8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 008C8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008C8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008C8EB4
DrawMenuBar.USER32(?), ref: 008C8EC3
SetWindowTextW.USER32(?,0000014E), ref: 008C8EEB

Strings

0, xrefs: 008C8E55

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: d7a3969c0c24b5894f04ca3f4c72cb03a121a5126b68ad54c2796733daf01edc
Instruction ID: 34793a561b7a7e390de2219a1ea080b215685d83e49309f9daa2e973b2a9d8d9
Opcode Fuzzy Hash: d7a3969c0c24b5894f04ca3f4c72cb03a121a5126b68ad54c2796733daf01edc
Instruction Fuzzy Hash: 88E13B70940218EEDB219F64DC84FEE7BB9FB05724F10815AFA15EA291DB70DA80DF61

Function 008C488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008C49CA
GetDesktopWindow.USER32 ref: 008C49DF
GetWindowRect.USER32(00000000), ref: 008C49E6
GetWindowLongW.USER32(?,000000F0), ref: 008C4A48
DestroyWindow.USER32(?), ref: 008C4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008C4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008C4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 008C4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 008C4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 008C4B09
IsWindowVisible.USER32(?), ref: 008C4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 008C4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 008C4B58
GetWindowRect.USER32(?,?), ref: 008C4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 008C4B96
GetMonitorInfoW.USER32(00000000,?), ref: 008C4BB0
CopyRect.USER32(?,?), ref: 008C4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 008C4C32

Strings

0, xrefs: 008C4975
tooltips_class32, xrefs: 008C4A96
(, xrefs: 008C4BA3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ebcd3ce6433db8b16f1911d9110839203cfe903d7a95180bad369f737cdb8ce0
Instruction ID: 506cfe4b8392a787ca9f93ebd9eb0043632c1329f896a43907f145d5663a20ea
Opcode Fuzzy Hash: ebcd3ce6433db8b16f1911d9110839203cfe903d7a95180bad369f737cdb8ce0
Instruction Fuzzy Hash: 68B18770604350AFDB14DF68C888F6ABBE5FB88314F00891DF999DB2A1D771E845CB96

Function 008427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008428BC
GetSystemMetrics.USER32(00000007), ref: 008428C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008428EF
GetSystemMetrics.USER32(00000008), ref: 008428F7
GetSystemMetrics.USER32(00000004), ref: 0084291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00842939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00842949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0084297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00842990
GetClientRect.USER32(00000000,000000FF), ref: 008429AE
GetStockObject.GDI32(00000011), ref: 008429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 008429D5

Part of subcall function 00842344: GetCursorPos.USER32(?), ref: 00842357
Part of subcall function 00842344: ScreenToClient.USER32(009057B0,?), ref: 00842374
Part of subcall function 00842344: GetAsyncKeyState.USER32(00000001), ref: 00842399
Part of subcall function 00842344: GetAsyncKeyState.USER32(00000002), ref: 008423A7

SetTimer.USER32(00000000,00000000,00000028,00841256), ref: 008429FC

Strings

AutoIt v3 GUI, xrefs: 00842974

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: da3651a13d253e4586729e83a4934e16b0818345cf744383e71e512123561787
Instruction ID: 9b81eeb057c56e9beaf42ab66e84c26481ca6436774a0402754e0afe200e7013
Opcode Fuzzy Hash: da3651a13d253e4586729e83a4934e16b0818345cf744383e71e512123561787
Instruction Fuzzy Hash: 43B13A71A0460ADFDB14DFA8DC49BAE7BB5FB08314F518229FA15E72A0DB74D840DB60

Function 0089A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0089A47A
__swprintf.LIBCMT ref: 0089A51B
_wcscmp.LIBCMT ref: 0089A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0089A583
_wcscmp.LIBCMT ref: 0089A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0089A5F6
GetDlgCtrlID.USER32(?), ref: 0089A648
GetWindowRect.USER32(?,?), ref: 0089A67E
GetParent.USER32(?), ref: 0089A69C
ScreenToClient.USER32(00000000), ref: 0089A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0089A71D
_wcscmp.LIBCMT ref: 0089A731
GetWindowTextW.USER32(?,?,00000400), ref: 0089A757
_wcscmp.LIBCMT ref: 0089A76B

Part of subcall function 0086362C: _iswctype.LIBCMT ref: 00863634

Strings

%s%u, xrefs: 0089A515

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 09cf65fca1d8ed59b9aa45fc2a7595985f4fddd0440899fedb1cc2fb4293600c
Instruction ID: 7002ee757481b8238d0d4d9257e4e6421c2c6f1f681ef46e5105b6c51083da4a
Opcode Fuzzy Hash: 09cf65fca1d8ed59b9aa45fc2a7595985f4fddd0440899fedb1cc2fb4293600c
Instruction Fuzzy Hash: D5A1E031204206BFDB19EFA4C885FAAB7E8FF54314F088529F999D2191DB30E955CBD2

Function 0089AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0089AF18
_wcscmp.LIBCMT ref: 0089AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0089AF51
CharUpperBuffW.USER32(?,00000000), ref: 0089AF6E
_wcscmp.LIBCMT ref: 0089AF8C
_wcsstr.LIBCMT ref: 0089AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0089AFD5
_wcscmp.LIBCMT ref: 0089AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0089B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0089B055
_wcscmp.LIBCMT ref: 0089B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0089B08D
GetWindowRect.USER32(00000004,?), ref: 0089B0F6

Strings

@, xrefs: 0089AEF9
ThumbnailClass, xrefs: 0089AFE0, 0089B060

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 090389ab8de141a9240ad15bd44d05a13ba598650b29bff26ca512836791feda
Instruction ID: 4772e0b9d9a37e138585c4734fa09b5a02f38e21b2c1a9e67e96198e619ffc10
Opcode Fuzzy Hash: 090389ab8de141a9240ad15bd44d05a13ba598650b29bff26ca512836791feda
Instruction Fuzzy Hash: 39819C711082099FDF04EF14D985FAA7BE8FF54714F08846AED85CA092DB34DD49CBA2

Function 0089ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0089AC33

Strings

[HANDLE:, xrefs: 0089AC3F
LAST, xrefs: 0089ABF8
ACTIVE, xrefs: 0089AC0E
HANDLE=, xrefs: 0089AC2C
[CLASS:, xrefs: 0089AC83
[ALL, xrefs: 0089ACD9
ALL, xrefs: 0089ACC7
[REGEXPTITLE:, xrefs: 0089AC5B
REGEXP=, xrefs: 0089AC48
CLASSNAME=, xrefs: 0089AC70
[LAST, xrefs: 0089ACE0
[ACTIVE, xrefs: 0089AC20

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: f078628aea4ce313ff356ab65f66e23c4000a2a7f9b4457a309beaeca4d6735e
Instruction ID: 901790b9a0d86f89875f403e6acdae7bdd03ce72d14eda1805e4b48571c95255
Opcode Fuzzy Hash: f078628aea4ce313ff356ab65f66e23c4000a2a7f9b4457a309beaeca4d6735e
Instruction Fuzzy Hash: F431B030A4821DABEB08FA68DD43EBE77A4FB10714F250428F512F51D2EB656F148693

Function 008B4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 008B5013
LoadCursorW.USER32(00000000,00007F00), ref: 008B501E
LoadCursorW.USER32(00000000,00007F03), ref: 008B5029
LoadCursorW.USER32(00000000,00007F8B), ref: 008B5034
LoadCursorW.USER32(00000000,00007F01), ref: 008B503F
LoadCursorW.USER32(00000000,00007F81), ref: 008B504A
LoadCursorW.USER32(00000000,00007F88), ref: 008B5055
LoadCursorW.USER32(00000000,00007F80), ref: 008B5060
LoadCursorW.USER32(00000000,00007F86), ref: 008B506B
LoadCursorW.USER32(00000000,00007F83), ref: 008B5076
LoadCursorW.USER32(00000000,00007F85), ref: 008B5081
LoadCursorW.USER32(00000000,00007F82), ref: 008B508C
LoadCursorW.USER32(00000000,00007F84), ref: 008B5097
LoadCursorW.USER32(00000000,00007F04), ref: 008B50A2
LoadCursorW.USER32(00000000,00007F02), ref: 008B50AD
LoadCursorW.USER32(00000000,00007F89), ref: 008B50B8
GetCursorInfo.USER32(?), ref: 008B50C8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: d901ac9278472577478a80d1525bc09d4990601e377393a2e75db36474de0b0e
Instruction ID: 371b909d2e0cfaefdbd25ae71a9263e5f333799a2a1c254d1ef93abbdb59390a
Opcode Fuzzy Hash: d901ac9278472577478a80d1525bc09d4990601e377393a2e75db36474de0b0e
Instruction Fuzzy Hash: E231E1B1D4871D6ADB109FBA8C899AFBFE8FF04750F50453AE50DE7280DA78A5018E91

Function 008CA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008CA259
DestroyWindow.USER32(?,?), ref: 008CA2D3

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008CA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008CA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008CA382
DestroyWindow.USER32(00000000), ref: 008CA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00840000,00000000), ref: 008CA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008CA3F4
GetDesktopWindow.USER32 ref: 008CA40D
GetWindowRect.USER32(00000000), ref: 008CA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008CA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008CA444

Part of subcall function 008425DB: GetWindowLongW.USER32(?,000000EB), ref: 008425EC

Strings

tooltips_class32, xrefs: 008CA346, 008CA3D4
0, xrefs: 008CA26F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: fe376bc52f7ac4010d2e3e0ae9b3a90a6673c65892805425a1a1b5ee87c88935
Instruction ID: e2bb6f4239564b65a38337473bfa4c2a26301919eaa8ed1bc3b63c7603e41202
Opcode Fuzzy Hash: fe376bc52f7ac4010d2e3e0ae9b3a90a6673c65892805425a1a1b5ee87c88935
Instruction Fuzzy Hash: B9716770144248AFEB29CF28C849F6A7BF6FB88708F04452CF985C72A1D774E906DB56

Function 008CC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

DragQueryPoint.SHELL32(?,?), ref: 008CC627

Part of subcall function 008CAB37: ClientToScreen.USER32(?,?), ref: 008CAB60
Part of subcall function 008CAB37: GetWindowRect.USER32(?,?), ref: 008CABD6
Part of subcall function 008CAB37: PtInRect.USER32(?,?,008CC014), ref: 008CABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 008CC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008CC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008CC6BE
_wcscat.LIBCMT ref: 008CC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008CC705
SendMessageW.USER32(?,000000B0,?,?), ref: 008CC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 008CC735
SendMessageW.USER32(?,000000B1,?,?), ref: 008CC757
DragFinish.SHELL32(?), ref: 008CC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008CC851

Strings

@GUI_DROPID, xrefs: 008CC77E
@GUI_DRAGID, xrefs: 008CC7C9
@GUI_DRAGFILE, xrefs: 008CC800

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: d326904618409e73b38c2971e90c45f319e3dc8321f5fd36452bf448e8c20f67
Instruction ID: 95cf00828c119febf598915f9c4cae9591cf47c0bcf492af3f46ab60ca122d7a
Opcode Fuzzy Hash: d326904618409e73b38c2971e90c45f319e3dc8321f5fd36452bf448e8c20f67
Instruction Fuzzy Hash: 16613A71108304AFD701EF68D885EAFBBF9FB99710F00092EF695D62A1DB709949CB52

Function 008C4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008C4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008C446F

Strings

GETITEMCOUNT, xrefs: 008C4551
EXISTS, xrefs: 008C44D8
CHECK, xrefs: 008C448F
GETTOTALCOUNT, xrefs: 008C4456
COLLAPSE, xrefs: 008C44B5
UNCHECK, xrefs: 008C464B
GETSELECTED, xrefs: 008C457F
GETTEXT, xrefs: 008C45C2
EXPAND, xrefs: 008C4521
SELECT, xrefs: 008C4620
ISCHECKED, xrefs: 008C45F2

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 51beca676d89fe3421a60d8042e7422a61ad2b52f0da7601ca97b76e3b1e1c63
Instruction ID: f140d5ccc56e6fdec82f3784c33ab41d33832bb4c3291316caffaf74c322cdde
Opcode Fuzzy Hash: 51beca676d89fe3421a60d8042e7422a61ad2b52f0da7601ca97b76e3b1e1c63
Instruction Fuzzy Hash: 819169302003159BCB14EF28C461E6EB7A1FF95354F15886DE8D69B3A2DB31ED49CB82

Function 008CB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008CB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,008C6B11,?), ref: 008CB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008CB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008CB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008CB9C3
FreeLibrary.KERNEL32(?), ref: 008CB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008CB9DF
DestroyIcon.USER32(?), ref: 008CB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008CBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008CBA17

Part of subcall function 00862EFD: __wcsicmp_l.LIBCMT ref: 00862F86

Strings

.dll, xrefs: 008CB86D
.icl, xrefs: 008CB82A
.exe, xrefs: 008CB84A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 7029ecc39d9b036d35e9e3b6f57921b8e9bbcac8cb5d9fec2b0909e1855cf1c4
Instruction ID: 874d43f14cbcf85900e1516ff7cfa563f55f6dafefc21f14b48e3ee5c0bd8e28
Opcode Fuzzy Hash: 7029ecc39d9b036d35e9e3b6f57921b8e9bbcac8cb5d9fec2b0909e1855cf1c4
Instruction Fuzzy Hash: 0E61CF71900A19BAEB14DF68DC42FBA7BB8FB08720F10411AFA15D61D1EB74D994DBA0

Function 008ADC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008ADCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 008ADCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008ADCF8
__wsplitpath.LIBCMT ref: 008ADD56
_wcscat.LIBCMT ref: 008ADD6E
_wcscat.LIBCMT ref: 008ADD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008ADD95
SetCurrentDirectoryW.KERNEL32(?), ref: 008ADDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 008ADDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 008ADDFC
_wcscpy.LIBCMT ref: 008ADE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008ADE47

Strings

*.*, xrefs: 008ADE02

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 45d08252237f9a2bc4cf4cae9394c545f2cedfa9e45e0b0f65c40dc50eab8107
Instruction ID: b70f63a4869e810d460132159c49c0012fe1bd6dcc3fa4fdc08724351b038310
Opcode Fuzzy Hash: 45d08252237f9a2bc4cf4cae9394c545f2cedfa9e45e0b0f65c40dc50eab8107
Instruction Fuzzy Hash: 3A615B725043099FDB20EF64C8449AEB3E8FF89324F04492EF98AC7651EB75E945CB52

Function 008A9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 008A9C7F

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008A9CA0
__swprintf.LIBCMT ref: 008A9CF9
__swprintf.LIBCMT ref: 008A9D12
_wprintf.LIBCMT ref: 008A9DB9
_wprintf.LIBCMT ref: 008A9DD7

Strings

Error: , xrefs: 008A9D81
Incorrect parameters to object property !, xrefs: 008A9D5B
^ ERROR , xrefs: 008A9D4E
"%s" (%d) : ==> %s:, xrefs: 008A9DD2
Line %d (File "%s"):, xrefs: 008A9CF3, 008A9D0C
"%s" (%d) : ==> %s:%s%s, xrefs: 008A9DB4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 952c2e8d22c1b21b48825e556060cd8872b1efd8971f15bcf94d3d140ed2542e
Instruction ID: 23370746145a9574a31b3656ebd856a448ee3852d08a1b2382f096656af28d2e
Opcode Fuzzy Hash: 952c2e8d22c1b21b48825e556060cd8872b1efd8971f15bcf94d3d140ed2542e
Instruction Fuzzy Hash: 3D516F3190460DAADF14EBA8DD86EEEBB78FF14300F500065F515F21A2EB352E99DB52

Function 008AA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

CharLowerBuffW.USER32(?,?), ref: 008AA3CB
GetDriveTypeW.KERNEL32 ref: 008AA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AA4C5

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

Strings

close, xrefs: 008AA3D1
wait, xrefs: 008AA482
closed, xrefs: 008AA3DF, 008AA3E8
close cd wait, xrefs: 008AA4B0
open , xrefs: 008AA427
open, xrefs: 008AA3F2
type cdaudio alias cd wait, xrefs: 008AA443
set cd door , xrefs: 008AA466

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: ca6acc401aac23d76baa9abd6a4abe99b5c1fc704a0c95a2cf0897968e639199
Instruction ID: 19f828ba9d58121aaba890922b6e349289e9577f97d848b49aa2c93f6686ae21
Opcode Fuzzy Hash: ca6acc401aac23d76baa9abd6a4abe99b5c1fc704a0c95a2cf0897968e639199
Instruction Fuzzy Hash: 565149711043099FD704EF28C88196EB7E4FF99758F00886DF89AD7662DB71AD09CB52

Function 0089F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0087E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0089F8DF
LoadStringW.USER32(00000000,?,0087E029,00000001), ref: 0089F8E8

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

GetModuleHandleW.KERNEL32(00000000,00905310,?,00000FFF,?,?,0087E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0089F90A
LoadStringW.USER32(00000000,?,0087E029,00000001), ref: 0089F90D
__swprintf.LIBCMT ref: 0089F95D
__swprintf.LIBCMT ref: 0089F96E
_wprintf.LIBCMT ref: 0089FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0089FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0089FA12
Error: , xrefs: 0089F9E5
^ ERROR, xrefs: 0089F9C3
Line %d:, xrefs: 0089F968
Line %d (File "%s"):, xrefs: 0089F957

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 8923f8dd36b21444236cbeac5b1abd3512daa36b3645b2dd1c78b63bc15b7f7f
Instruction ID: 51ac439e518a13a32e910b4703eae2e13ddfc3d7adf0cd4ec2d1bc26edd9ccc9
Opcode Fuzzy Hash: 8923f8dd36b21444236cbeac5b1abd3512daa36b3645b2dd1c78b63bc15b7f7f
Instruction Fuzzy Hash: 5D410D7290421DAACF05FBE8DD86EEE7B78FF14310F500065B605E6192EB356F49CA62

Function 0087A8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0087A92B
___wtomb_environ.LIBCMT ref: 0087A94D

Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28

__malloc_crt.LIBCMT ref: 0087A975
__malloc_crt.LIBCMT ref: 0087A992
_free.LIBCMT ref: 0087A9C9
__recalloc_crt.LIBCMT ref: 0087AA02
__recalloc_crt.LIBCMT ref: 0087AA47
_strlen.LIBCMT ref: 0087AA73
__calloc_crt.LIBCMT ref: 0087AA7D
_strlen.LIBCMT ref: 0087AA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0087AABA
_free.LIBCMT ref: 0087AAD4
_free.LIBCMT ref: 0087AAE1
_free.LIBCMT ref: 0087AAF3
__invoke_watson.LIBCMT ref: 0087AB0D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 0093ec5680151386fd66dcd51cca6e032038083c01aa878e82c52b5365e69607
Instruction ID: 1a1f723773f5b60629e873494c12acc8dc71049fe5b8973206b86443e5238527
Opcode Fuzzy Hash: 0093ec5680151386fd66dcd51cca6e032038083c01aa878e82c52b5365e69607
Instruction Fuzzy Hash: F8610672508216EFDB189F28D80176E7BA8FF85321F22C215E919E71D9DB34C941CB53

Function 008CBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 008CBA56
GetFileSize.KERNEL32(00000000,00000000), ref: 008CBA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008CBA78
CloseHandle.KERNEL32(00000000), ref: 008CBA85
GlobalLock.KERNEL32(00000000), ref: 008CBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008CBA9D
GlobalUnlock.KERNEL32(00000000), ref: 008CBAA6
CloseHandle.KERNEL32(00000000), ref: 008CBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008CBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,008D2CAC,?), ref: 008CBAD7
GlobalFree.KERNEL32(00000000), ref: 008CBAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 008CBB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 008CBB36
DeleteObject.GDI32(00000000), ref: 008CBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008CBB74

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e9fd4a922ab8c05665bc9024659fe31a7f5c4c5a4f66a05bcb954298590a6576
Instruction ID: a0c84cb0121e8578d0530e129f39a83e8e2a4d31fa077cd038c1ac3bd7a27d78
Opcode Fuzzy Hash: e9fd4a922ab8c05665bc9024659fe31a7f5c4c5a4f66a05bcb954298590a6576
Instruction Fuzzy Hash: D5412875601208EFEB119F65DC89EABBBB9FF89721F104069FA09D7261D7309D01CB60

Function 008AD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 008ADA10
_wcscat.LIBCMT ref: 008ADA28
_wcscat.LIBCMT ref: 008ADA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008ADA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 008ADA63
GetFileAttributesW.KERNEL32(?), ref: 008ADA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 008ADA95
SetCurrentDirectoryW.KERNEL32(?), ref: 008ADAA7

Strings

*.*, xrefs: 008ADAE6

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7232cd6ea227a02ecd38ef626bfde6f6dcde43ee9bf170ae36cb260a621090e5
Instruction ID: da9d148d77d14606b71682a322cf1a1fcd9bda8894e53de0c19f77562d51e1ce
Opcode Fuzzy Hash: 7232cd6ea227a02ecd38ef626bfde6f6dcde43ee9bf170ae36cb260a621090e5
Instruction Fuzzy Hash: BF8182715043459FDB24DF68C844AAFBBE4FF8A314F18882EF88AC7A51D630D945CB52

Function 008CC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008CC1FC
GetFocus.USER32 ref: 008CC20C
GetDlgCtrlID.USER32(00000000), ref: 008CC217
_memset.LIBCMT ref: 008CC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 008CC36D
GetMenuItemCount.USER32(?), ref: 008CC38D
GetMenuItemID.USER32(?,00000000), ref: 008CC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 008CC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 008CC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008CC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 008CC489

Strings

0, xrefs: 008CC33A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: da77cdf50d550102a5008dad2cf6cab43de234342436afea97277f199700f08b
Instruction ID: 8548881893dc9054d51d87c4ab0a8792397fafefb5ad481f12041e19ba82ade3
Opcode Fuzzy Hash: da77cdf50d550102a5008dad2cf6cab43de234342436afea97277f199700f08b
Instruction Fuzzy Hash: AC8136702083419FE714CF28D894E6BBBF9FB88714F00892EFA99D6291D730D905CB92

Function 008B731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008B738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008B739B
CreateCompatibleDC.GDI32(?), ref: 008B73A7
SelectObject.GDI32(00000000,?), ref: 008B73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 008B7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 008B7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 008B7468
SelectObject.GDI32(00000006,?), ref: 008B7470
DeleteObject.GDI32(?), ref: 008B7479
DeleteDC.GDI32(00000006), ref: 008B7480
ReleaseDC.USER32(00000000,?), ref: 008B748B

Strings

(, xrefs: 008B7410

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 53aff5a883e076af01f007f1aa8376109b29ba50ccdd4cff763a58917023cf78
Instruction ID: 0ea0885312d41933ba0ccc1b9211a29bd0315b560478adbdcd6f9f310e183fd6
Opcode Fuzzy Hash: 53aff5a883e076af01f007f1aa8376109b29ba50ccdd4cff763a58917023cf78
Instruction Fuzzy Hash: AE512775904309AFDB15CFA8CC85EAEBBB9FF88710F148529EA99D7311C731A9408B50

Function 00846A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00860957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00846B0C,?,00008000), ref: 00860973

Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00846BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00846CFA

Part of subcall function 0084586D: _wcscpy.LIBCMT ref: 008458A5

Part of subcall function 0086363D: _iswctype.LIBCMT ref: 00863645

Strings

AU3!, xrefs: 00846B61
Bad directive syntax error, xrefs: 0087E79D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0087E421
EA06, xrefs: 0087E452
Unterminated string, xrefs: 0087E7E4
Error opening the file, xrefs: 0087E43D, 0087E4B8
>>>AUTOIT SCRIPT<<<, xrefs: 0087E496

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 5c17d9ee6eec53de45892a437372949a36dd5ae46fcc019b7bb4d84974e902b3
Instruction ID: 3ad62c68aa535610be3ab29bb35ec57e2dc53c665c65136a4fc95caed8240d59
Opcode Fuzzy Hash: 5c17d9ee6eec53de45892a437372949a36dd5ae46fcc019b7bb4d84974e902b3
Instruction Fuzzy Hash: 9D0258305083489BC714EF28C881AAFBBE5FF99314F14491DF59AD62A2DB31D949CB53

Function 008A2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 008A2DDD
GetMenuItemCount.USER32(00905890), ref: 008A2E66
DeleteMenu.USER32(00905890,00000005,00000000,000000F5,?,?), ref: 008A2EF6
DeleteMenu.USER32(00905890,00000004,00000000), ref: 008A2EFE
DeleteMenu.USER32(00905890,00000006,00000000), ref: 008A2F06
DeleteMenu.USER32(00905890,00000003,00000000), ref: 008A2F0E
GetMenuItemCount.USER32(00905890), ref: 008A2F16
SetMenuItemInfoW.USER32(00905890,00000004,00000000,00000030), ref: 008A2F4C
GetCursorPos.USER32(?), ref: 008A2F56
SetForegroundWindow.USER32(00000000), ref: 008A2F5F
TrackPopupMenuEx.USER32(00905890,00000000,?,00000000,00000000,00000000), ref: 008A2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008A2F7E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 9b898719156bf78487c13787eae608ba56203a4ce7d075fcec9451032fe3c936
Instruction ID: 0f1a021a854490338a914be88a3c4a33f359e365e249307c34c2c5ae5349be21
Opcode Fuzzy Hash: 9b898719156bf78487c13787eae608ba56203a4ce7d075fcec9451032fe3c936
Instruction Fuzzy Hash: 9171B070604209BEFB318F5CDC45FAABF65FB06364F100216F625E65E2CBB16860DB91

Function 008977DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

_memset.LIBCMT ref: 0089786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008978A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008978BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008978D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00897902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0089792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00897935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0089793A

Strings

\CLSID, xrefs: 00897822
SOFTWARE\Classes\, xrefs: 0089780C
\IPC$, xrefs: 00897882

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d809a87099825c1693778f9f843c6d07d727f78d042ea62840db293b716ca827
Instruction ID: 4b6c9978d20bc9bb6767a18ccc662aa9cb214992a62b2abd092d71b42ee5b419
Opcode Fuzzy Hash: d809a87099825c1693778f9f843c6d07d727f78d042ea62840db293b716ca827
Instruction Fuzzy Hash: 9841F57282462DABDF11EBA8DC85DEDBB79FF14710B044069E915E3262EB345E04CB91

Function 008C0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 008C0E9A
HKEY_CURRENT_USER, xrefs: 008C0F10
HKCU, xrefs: 008C0F21
HKCR, xrefs: 008C0ED9
HKLM, xrefs: 008C0EAF
HKEY_CURRENT_CONFIG, xrefs: 008C0EEE
HKU, xrefs: 008C0F43
HKCC, xrefs: 008C0EFF
HKEY_CLASSES_ROOT, xrefs: 008C0EC4
HKEY_USERS, xrefs: 008C0F32

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 729d6cfbd4ebeb33bab1e038814593ddb1754357ab715a71339031cc1d7e790c
Instruction ID: ba84291cbcf6e019fae2cfb70d09a44417f1c36268f8466233f1cc7b870d0a4f
Opcode Fuzzy Hash: 729d6cfbd4ebeb33bab1e038814593ddb1754357ab715a71339031cc1d7e790c
Instruction Fuzzy Hash: 6141343111025A8BCF10EEA8E851BEF3764FF21384F150458F9959B6A2DB30D99ADFA1

Function 0089F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0087E2A0,00000010,?,Bad directive syntax error,008CF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0089F7C2
LoadStringW.USER32(00000000,?,0087E2A0,00000010), ref: 0089F7C9

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

_wprintf.LIBCMT ref: 0089F7FC
__swprintf.LIBCMT ref: 0089F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0089F88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0089F7F7
., xrefs: 0089F873
Error: , xrefs: 0089F85B
Line %d:, xrefs: 0089F818
Line %d (File "%s"):, xrefs: 0089F833

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 4a3c7dcc714cbd578ad8a8bad67333c1d2d7a66e85b77c859e267bb2ff53ebc0
Instruction ID: 951427bc4c0bd5079645a0551f47b105125b0bede738d2e410772efeec0a5334
Opcode Fuzzy Hash: 4a3c7dcc714cbd578ad8a8bad67333c1d2d7a66e85b77c859e267bb2ff53ebc0
Instruction Fuzzy Hash: 25213E3290021EEBDF11AFA4CC4AEEE7739FF18300F044465F615E61A2EA75A658DB51

Function 008A52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

Part of subcall function 00847924: _memmove.LIBCMT ref: 008479AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008A5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008A5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008A5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008A5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008A537A

Strings

status PlayMe mode, xrefs: 008A532B
close PlayMe, xrefs: 008A5341, 008A536E
play PlayMe, xrefs: 008A5375
alias PlayMe, xrefs: 008A5309
play PlayMe wait, xrefs: 008A5364
open , xrefs: 008A52DF

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a5449dd0251e0980f44750608191bbf1f030e6d87eb3fd2bdf009245de5414bf
Instruction ID: ca6764fbbe23c6b5f7b13a829e6b3da8114d50d51fde6b043628b9f5a9f5619d
Opcode Fuzzy Hash: a5449dd0251e0980f44750608191bbf1f030e6d87eb3fd2bdf009245de5414bf
Instruction Fuzzy Hash: 2F11632195015DB9DB20B675DC49EFFAABCFBE2B44F0004197511D21D1EEA41944C5A1

Function 008A46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008A46D2
gethostname.WSOCK32(?,00000100), ref: 008A46EC
gethostbyname.WSOCK32(?), ref: 008A46F9
_wcscpy.LIBCMT ref: 008A4721
_memmove.LIBCMT ref: 008A4734
inet_ntoa.WSOCK32(?), ref: 008A473F
_strcat.LIBCMT ref: 008A474D
_wcscpy.LIBCMT ref: 008A4764
WSACleanup.WSOCK32 ref: 008A4772
_wcscpy.LIBCMT ref: 008A4780

Strings

0.0.0.0, xrefs: 008A471B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 71342d93173dd2bfa9cb59fd568019ee5e258db8dfc1147ef1bd406028b955ea
Instruction ID: 20619a7c060b4ad430cd3c73c9a58f826c0ee87654d9051e66193210003896c0
Opcode Fuzzy Hash: 71342d93173dd2bfa9cb59fd568019ee5e258db8dfc1147ef1bd406028b955ea
Instruction Fuzzy Hash: 7211D23150011CAFEF20AB349C4AEEA77BDFB42711F0441BAF545D61A2EFB58A818A51

Function 008A4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008A4F7A

Part of subcall function 0086049F: timeGetTime.WINMM(?,75C0B400,00850E7B), ref: 008604A3

Sleep.KERNEL32(0000000A), ref: 008A4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 008A4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008A4FEC
SetActiveWindow.USER32 ref: 008A500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008A5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 008A5038
Sleep.KERNEL32(000000FA), ref: 008A5043
IsWindow.USER32 ref: 008A504F
EndDialog.USER32(00000000), ref: 008A5060

Strings

BUTTON, xrefs: 008A4FDE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c1c3716e9b32da39e4781ca04c2db057b75db23e6f228ee22a185aed2fae157d
Instruction ID: 7236eb3a47191251084744c5381f84aaa0568ed55c06e3e58a8023ec7f265376
Opcode Fuzzy Hash: c1c3716e9b32da39e4781ca04c2db057b75db23e6f228ee22a185aed2fae157d
Instruction Fuzzy Hash: A7218470208605AFF7115F74EC89E263BBEFB56745F052025F201C5AB2DBB14D50EA62

Function 008AD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

CoInitialize.OLE32(00000000), ref: 008AD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008AD67D
SHGetDesktopFolder.SHELL32(?), ref: 008AD691
CoCreateInstance.OLE32(008D2D7C,00000000,00000001,008F8C1C,?), ref: 008AD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008AD74C
CoTaskMemFree.OLE32(?,?), ref: 008AD7A4
_memset.LIBCMT ref: 008AD7E1
SHBrowseForFolderW.SHELL32(?), ref: 008AD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008AD840
CoTaskMemFree.OLE32(00000000), ref: 008AD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008AD87E
CoUninitialize.OLE32(00000001,00000000), ref: 008AD880

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c8d052f7195205287999bb2305ca86869660bf1258f2507634f559793a92f895
Instruction ID: 0dc63329c395fe2190e5946e494f09d5dc2faf0866e023836cfd9a2167f97a1e
Opcode Fuzzy Hash: c8d052f7195205287999bb2305ca86869660bf1258f2507634f559793a92f895
Instruction Fuzzy Hash: F3B11D75A00209AFDB14DFA8C884DAEBBB9FF49314F048469F90ADB661DB30ED41CB51

Function 0089C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0089C283
GetWindowRect.USER32(00000000,?), ref: 0089C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0089C2F3
GetDlgItem.USER32(?,00000002), ref: 0089C2FE
GetWindowRect.USER32(00000000,?), ref: 0089C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0089C364
GetDlgItem.USER32(?,000003E9), ref: 0089C372
GetWindowRect.USER32(00000000,?), ref: 0089C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0089C3C6
GetDlgItem.USER32(?,000003EA), ref: 0089C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0089C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0089C3FE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 066d4651e6439ff914acbef1d0af480199e093688eaa2e5122f38c19201f7a97
Instruction ID: eebc017d0c993e15a60ffb1a0edbabbe4998a3a61463b6c5c1df39f97e773176
Opcode Fuzzy Hash: 066d4651e6439ff914acbef1d0af480199e093688eaa2e5122f38c19201f7a97
Instruction Fuzzy Hash: C1514D71B00205ABEF18DFA9DD99EAEBBBAFB98310F14812DF615D7291D7719D008B10

Function 0084201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00841B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00842036,?,00000000,?,?,?,?,008416CB,00000000,?), ref: 00841B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008420D3
KillTimer.USER32(-00000001,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0084216E
DestroyAcceleratorTable.USER32(00000000), ref: 0087BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0087BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0087BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008416CB,00000000,?,?,00841AE2,?,?), ref: 0087BD0A
DeleteObject.GDI32(00000000), ref: 0087BD1C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d45d663ed7650afe055959da1bbcb4a243f9355e393d78c10d4249ef4d1a56cc
Instruction ID: 7a33432ce773236ef4481ea72f94c59025402e20b7a01b703d092f8be2dc6351
Opcode Fuzzy Hash: d45d663ed7650afe055959da1bbcb4a243f9355e393d78c10d4249ef4d1a56cc
Instruction Fuzzy Hash: 0E619931118A08DFDB359F18D948B2ABBF2FF50316F918428E946CB965C770A880EF91

Function 008421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 008425DB: GetWindowLongW.USER32(?,000000EB), ref: 008425EC

GetSysColor.USER32(0000000F), ref: 008421D3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: adc4078527ed04396bd743419c128430f70d10e153c3d9cc29590ecfbcef0356
Instruction ID: f5718004bfef19681ba3c6f87773b16cc873496aabdc2be9c045b81ae17501ae
Opcode Fuzzy Hash: adc4078527ed04396bd743419c128430f70d10e153c3d9cc29590ecfbcef0356
Instruction Fuzzy Hash: 4C41A331008568DFEB215F28EC88BB97B66FB06331F584265FE65CA1E6C7718C41DB21

Function 008AA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,008CF910), ref: 008AA90B
GetDriveTypeW.KERNEL32(00000061,008F89A0,00000061), ref: 008AA9D5
_wcscpy.LIBCMT ref: 008AA9FF

Strings

all, xrefs: 008AA911
unknown, xrefs: 008AA996
cdrom, xrefs: 008AA927
fixed, xrefs: 008AA953
ramdisk, xrefs: 008AA97F
removable, xrefs: 008AA93D
network, xrefs: 008AA969

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 70a1b18fe17d97b33fc8476c578c9c54843feb0c4f170450f1fcb47128d17d90
Instruction ID: 76280c56d6ac58f22b5c88f399578b15a3e00f0bfc4674424690b7398dc14916
Opcode Fuzzy Hash: 70a1b18fe17d97b33fc8476c578c9c54843feb0c4f170450f1fcb47128d17d90
Instruction Fuzzy Hash: 8E51CD312083049BD714EF18C892AAFBBE9FF85344F05482DF5A5D7AA2DB719909CA53

Function 00849837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00849862
__swprintf.LIBCMT ref: 008498AC
__i64tow.LIBCMT ref: 0087F5E6

Strings

0x%p, xrefs: 0087F5C8
%.15g, xrefs: 008498A6
False, xrefs: 0087F5AE
True, xrefs: 0087F5A7

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 85b2a41e60ceb10af9a17131e842ac12a8f2c4ebdbb7f7cc4cc7f411f30592c1
Instruction ID: bf6f49e0d367c4cce5fe8a840836cb7a3ac5077f7c60a18d399129781743332d
Opcode Fuzzy Hash: 85b2a41e60ceb10af9a17131e842ac12a8f2c4ebdbb7f7cc4cc7f411f30592c1
Instruction Fuzzy Hash: 4241E27160420DAFEB24DF39D842E7AB3E9FF45304F2044BEE689D7296EA31D9018B11

Function 008C7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008C716A
CreateMenu.USER32 ref: 008C7185
SetMenu.USER32(?,00000000), ref: 008C7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008C7221
IsMenu.USER32(?), ref: 008C7237
CreatePopupMenu.USER32 ref: 008C7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008C726E
DrawMenuBar.USER32 ref: 008C7276

Strings

0, xrefs: 008C7160
F, xrefs: 008C7262

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: cbf017eea25b37d93eb7d2dbc2a6b62b09457053bfc396f5b73903eb3afc4b72
Instruction ID: 6e79afcd1ed04b49e84a494338d7aaec17422231f4ee67f392beb1f15afaddc6
Opcode Fuzzy Hash: cbf017eea25b37d93eb7d2dbc2a6b62b09457053bfc396f5b73903eb3afc4b72
Instruction Fuzzy Hash: 3B412675A05209AFEB20DF64D944F9A7BB9FB48350F144029FA4697361D731A910DF90

Function 008C74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008C755E
CreateCompatibleDC.GDI32(00000000), ref: 008C7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008C7578
SelectObject.GDI32(00000000,00000000), ref: 008C7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 008C758B
DeleteDC.GDI32(00000000), ref: 008C7594
GetWindowLongW.USER32(?,000000EC), ref: 008C759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008C75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 008C75BE

Strings

static, xrefs: 008C74F6

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 633db477a1f36e8b7746683299ee3e97e0b9b7137c0f47e9e95a1769d639a4ea
Instruction ID: 8999dae839a1f7fce17843c04582d90b9e5932efaab1bd55aed9e136498cdbed
Opcode Fuzzy Hash: 633db477a1f36e8b7746683299ee3e97e0b9b7137c0f47e9e95a1769d639a4ea
Instruction Fuzzy Hash: 24315672104218ABEF129F64DC09FEA3B7AFF09720F110229FA15E61A1C731D821DBA4

Function 00866E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00866E3E

Part of subcall function 00868B28: __getptd_noexit.LIBCMT ref: 00868B28

__gmtime64_s.LIBCMT ref: 00866ED7
__gmtime64_s.LIBCMT ref: 00866F0D
__gmtime64_s.LIBCMT ref: 00866F2A
__allrem.LIBCMT ref: 00866F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00866F9C
__allrem.LIBCMT ref: 00866FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00866FD1
__allrem.LIBCMT ref: 00866FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00867006
__invoke_watson.LIBCMT ref: 00867077

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 3d845aef91e77a57d3f3dbc5ad194bbc6f1d6dd95b18e31683464dafef8c305a
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: A971E476A00B17EBD714EE6DDC42B6AB7A8FF04324F158229F514D6281FB71DA1087D2

Function 008A2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A2542
GetMenuItemInfoW.USER32(00905890,000000FF,00000000,00000030), ref: 008A25A3
SetMenuItemInfoW.USER32(00905890,00000004,00000000,00000030), ref: 008A25D9
Sleep.KERNEL32(000001F4), ref: 008A25EB
GetMenuItemCount.USER32(?), ref: 008A262F
GetMenuItemID.USER32(?,00000000), ref: 008A264B
GetMenuItemID.USER32(?,-00000001), ref: 008A2675
GetMenuItemID.USER32(?,?), ref: 008A26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008A2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A2735

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 119ede95994f03f5a56058a3529229bc55349ad81c51b2bd44133e25c26b90ec
Instruction ID: e36d9ca90dd2fabc2ece90eedf8b888be410c8d07120e4d604c0cfda40db8967
Opcode Fuzzy Hash: 119ede95994f03f5a56058a3529229bc55349ad81c51b2bd44133e25c26b90ec
Instruction Fuzzy Hash: 35619C70901249AFEB21CFACDD88EBE7BB9FB06308F140059E952E3651D731AE05DB21

Function 008C6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008C6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008C6FA8
GetWindowLongW.USER32(?,000000F0), ref: 008C6FCC
_memset.LIBCMT ref: 008C6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008C6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008C7067

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 5edc0df768a985d157fe659ff7558f2de75845d2893535ec528e5d71f6bbeacc
Instruction ID: 026304b10acfbcb7baaee1ba2446148245d2c3e2a850e5117c51561bbc935e6a
Opcode Fuzzy Hash: 5edc0df768a985d157fe659ff7558f2de75845d2893535ec528e5d71f6bbeacc
Instruction Fuzzy Hash: 61613675904208AFDB11DFA8CC81FAE77B8FB09714F14416AFA14EB2A1D771A941DF90

Function 00896B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00896BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00896C18
VariantInit.OLEAUT32(?), ref: 00896C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00896C4A
VariantCopy.OLEAUT32(?,?), ref: 00896C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00896CB1
VariantClear.OLEAUT32(?), ref: 00896CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00896CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00896CDC
VariantClear.OLEAUT32(?), ref: 00896CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00896CF9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5b30d547fad2b8cd8219d1f152d21bba8aa2f502ea734b2bb9212a66afea4602
Instruction ID: ecde5d267e5cdd00bb1fdfdf1f4a06ce44d4e0210dcd455a8556f6f6d1fea897
Opcode Fuzzy Hash: 5b30d547fad2b8cd8219d1f152d21bba8aa2f502ea734b2bb9212a66afea4602
Instruction Fuzzy Hash: B3417F71A002199FDF04EFA8D844DAEBBB9FF08354F048069FA55E7261DB30A955CB91

Function 008B83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

CoInitialize.OLE32 ref: 008B8403
CoUninitialize.OLE32 ref: 008B840E
CoCreateInstance.OLE32(?,00000000,00000017,008D2BEC,?), ref: 008B846E
IIDFromString.OLE32(?,?), ref: 008B84E1
VariantInit.OLEAUT32(?), ref: 008B857B
VariantClear.OLEAUT32(?), ref: 008B85DC

Strings

Failed to create object, xrefs: 008B8479, 008B852F
NULL Pointer assignment, xrefs: 008B84B3
Invalid parameter, xrefs: 008B84FA

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8372b28295d59a297106a68e07ac5a78fa46307830bad39be81fd74625d737b2
Instruction ID: 08dc82bd17e40636e861d1cd7c50ea137e9d6022f5eca409a6ffcefba66a44bc
Opcode Fuzzy Hash: 8372b28295d59a297106a68e07ac5a78fa46307830bad39be81fd74625d737b2
Instruction Fuzzy Hash: FD614670608216DFD720DF28C849AAABBE8FF49754F044519F985DB391CB70E948CB96

Function 008B5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008B5793
inet_addr.WSOCK32(?,?,?), ref: 008B57D8
gethostbyname.WSOCK32(?), ref: 008B57E4
IcmpCreateFile.IPHLPAPI ref: 008B57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008B5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008B5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 008B58ED
WSACleanup.WSOCK32 ref: 008B58F3

Strings

Ping, xrefs: 008B5816

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 49659461a81cd1e14fd002b1f97b98714b7e47713dc73129d484063aad5308e9
Instruction ID: 6c5c48e7de36cd59cdda97a99d078abb859b97991e741df25c312f82ad3d32ee
Opcode Fuzzy Hash: 49659461a81cd1e14fd002b1f97b98714b7e47713dc73129d484063aad5308e9
Instruction Fuzzy Hash: 84514D316046049FDB21EF29DC45B6A7BE4FF48724F04452AF996DB3A2DB70E900DB52

Function 008AB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008AB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008AB546
GetLastError.KERNEL32 ref: 008AB550
SetErrorMode.KERNEL32(00000000,READY), ref: 008AB5BD

Strings

READY, xrefs: 008AB596
READONLY, xrefs: 008AB588
UNKNOWN, xrefs: 008AB575
INVALID, xrefs: 008AB58F
NOTREADY, xrefs: 008AB57C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a160c2c62ea5d84ec032e6da1a89886d41ad1433ee04bdf324abb06b98f7f191
Instruction ID: 5942aefb6944d9a7748622c2987b5a6d2e7c5eae72f023126d90173e65f82917
Opcode Fuzzy Hash: a160c2c62ea5d84ec032e6da1a89886d41ad1433ee04bdf324abb06b98f7f191
Instruction Fuzzy Hash: D8318035E00209DFEB10EBA8C845EBE7BB4FF4A314F144126E615D7692DB71DA41CB51

Function 00898F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00899014
GetDlgCtrlID.USER32 ref: 0089901F
GetParent.USER32 ref: 0089903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0089903E
GetDlgCtrlID.USER32(?), ref: 00899047
GetParent.USER32(?), ref: 00899063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00899066

Strings

ListBox, xrefs: 00898FD1
ComboBox, xrefs: 00898F9C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3ddc11d427f45fbc03c538fc4c8ddd2d178e95efa72fffb70ee5f06c104d07f4
Instruction ID: ac36574212643422903f3ebc67abbf36448945dff290c0c5a4536f28f6e6674a
Opcode Fuzzy Hash: 3ddc11d427f45fbc03c538fc4c8ddd2d178e95efa72fffb70ee5f06c104d07f4
Instruction Fuzzy Hash: E721B270A00108BBDF04ABA4CC85EFEBB75FF59310F140119FA61D72A2EB755815DB21

Function 0089907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008990FD
GetDlgCtrlID.USER32 ref: 00899108
GetParent.USER32 ref: 00899124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00899127
GetDlgCtrlID.USER32(?), ref: 00899130
GetParent.USER32(?), ref: 0089914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0089914F

Strings

ListBox, xrefs: 008990BC
ComboBox, xrefs: 00899087

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 92572c6039583fcf34ff427ef62345f330ccd105297a590dfcb7c57dbfd60063
Instruction ID: 358a7e8c353eec3df9dcd61ce5494add8b41be2bb76efd75db9f21020ee57f63
Opcode Fuzzy Hash: 92572c6039583fcf34ff427ef62345f330ccd105297a590dfcb7c57dbfd60063
Instruction Fuzzy Hash: 9921DA74A00108BBEF05ABA8CC85EFEBB75FF58300F144019F661D72A2EB795415DB21

Function 00899163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0089916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00899184
_wcscmp.LIBCMT ref: 00899196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00899211

Strings

SHELLDLL_DefView, xrefs: 00899190
details, xrefs: 008991BF
smallicons, xrefs: 008991D9
list, xrefs: 008991F3
largeicons, xrefs: 008991A5

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 3553d3a8e55ce366cfd0b67f2307fb747cf0eb0157adbd1f44a32d87c47b8e0b
Instruction ID: 2da9263fbb6228f1ddea6d5fffb6e8201b331238fdf2b3612775835e40f465b4
Opcode Fuzzy Hash: 3553d3a8e55ce366cfd0b67f2307fb747cf0eb0157adbd1f44a32d87c47b8e0b
Instruction Fuzzy Hash: BB113D3A34830BB5FE10377CDC06DB73B9CFB10320B24006AFA20E44D2FEA658115550

Function 008B88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008B88D7
CoInitialize.OLE32(00000000), ref: 008B8904
CoUninitialize.OLE32 ref: 008B890E
GetRunningObjectTable.OLE32(00000000,?), ref: 008B8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 008B8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,008D2C0C), ref: 008B8B6F
CoGetObject.OLE32(?,00000000,008D2C0C,?), ref: 008B8B92
SetErrorMode.KERNEL32(00000000), ref: 008B8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008B8C25
VariantClear.OLEAUT32(?), ref: 008B8C35

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 8a8072392dfd7462ee2fc084bdb6c134883e500a6a918d4a113f3bfb5ad19cf8
Instruction ID: 3e881c7db9d3c348c79573a21d351f259af77d32f2e6b32aa1692b56b86875b7
Opcode Fuzzy Hash: 8a8072392dfd7462ee2fc084bdb6c134883e500a6a918d4a113f3bfb5ad19cf8
Instruction Fuzzy Hash: EAC1E1B1608205EFD700DF68C88496ABBE9FB89758F00492DF589DB261DB71ED05CB52

Function 008A7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 008A7A6C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 38e0ee6adcc4e5d66b4c9e6b1c0cf0249723029a8e9ee06e3cc760b4b3d78f29
Instruction ID: b87b0857b96d49ce007c7949c6a406d4927e6cba24f9afe65ff543bc09921924
Opcode Fuzzy Hash: 38e0ee6adcc4e5d66b4c9e6b1c0cf0249723029a8e9ee06e3cc760b4b3d78f29
Instruction Fuzzy Hash: 74B19F7190421A9FEB10DFA8CC84BBEB7B5FF0A325F244429E641E7641D734A941EBA1

Function 008A11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008A11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A1204
GetWindowThreadProcessId.USER32(00000000), ref: 008A120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008A0268,?,00000001), ref: 008A121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 008A122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008A0268,?,00000001), ref: 008A1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008A0268,?,00000001), ref: 008A1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008A0268,?,00000001), ref: 008A12BC

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b0c9cb75482bd3b288c62ebe664610dfcda2d67caaa56d6674019370f99b6379
Instruction ID: a9b61c57bed77438993c14937ce25db0e2b1abc824c7ded9651be8da1b32f391
Opcode Fuzzy Hash: b0c9cb75482bd3b288c62ebe664610dfcda2d67caaa56d6674019370f99b6379
Instruction Fuzzy Hash: 1931A975618204AFFF20DF54EC88F6977AAFB66351F104125FA01C76A1D7B4DD409B60

Function 0087BDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00842231
SetTextColor.GDI32(?,000000FF), ref: 0084223B
SetBkMode.GDI32(?,00000001), ref: 00842250
GetStockObject.GDI32(00000005), ref: 00842258
GetClientRect.USER32(?), ref: 0087BDBB
SendMessageW.USER32(?,00001328,00000000,?), ref: 0087BDD2
GetWindowDC.USER32(?), ref: 0087BDDE
GetPixel.GDI32(00000000,?,?), ref: 0087BDED
ReleaseDC.USER32(?,00000000), ref: 0087BDFF
GetSysColor.USER32(00000005), ref: 0087BE1D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 465df0ffdd46d39d7e982bfbc265aace5ef9f03e3163991c72c042b48acdae44
Instruction ID: 37980b96d50091d73f080db3a2ec2e25e399b398389b3d2fd957de2bf9fcf711
Opcode Fuzzy Hash: 465df0ffdd46d39d7e982bfbc265aace5ef9f03e3163991c72c042b48acdae44
Instruction Fuzzy Hash: 24212932104609EFEB215FA4EC08FA97B72FB18321F544265FB25951F2CB714951EF11

Function 0084FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0084FAA6
OleUninitialize.OLE32(?,00000000), ref: 0084FB45
UnregisterHotKey.USER32(?), ref: 0084FC9C
DestroyWindow.USER32(?), ref: 008845D6
FreeLibrary.KERNEL32(?), ref: 0088463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00884668

Strings

close all, xrefs: 0084FAA1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: bb6e497852c5bc52b473f895236a58244f94e1b63af271475891f9ef89c65e9d
Instruction ID: 8c4267bd2f2961ec568ef8a130687830153884c88fb1dc55d51266704fca678f
Opcode Fuzzy Hash: bb6e497852c5bc52b473f895236a58244f94e1b63af271475891f9ef89c65e9d
Instruction Fuzzy Hash: A1A19E3130122ACFDB29EF18C994A29F761FF15714F1442ADE90AEB262DB30AC16CF51

Function 0089A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0089A439), ref: 0089A377

Strings

REGEXPCLASS, xrefs: 0089A13C
INSTANCE, xrefs: 0089A285
CLASSNN, xrefs: 0089A119
CLASS, xrefs: 0089A0F6
NAME, xrefs: 0089A1A9
TEXT, xrefs: 0089A2AE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b220d1cb7cc111b0677288a3836d7311bf7af841d9380e06a2108f038414c35d
Instruction ID: c94bfa9cacb22729b8d40cc96fd86dc1a655cfe56587d00abf662cfd13ec9296
Opcode Fuzzy Hash: b220d1cb7cc111b0677288a3836d7311bf7af841d9380e06a2108f038414c35d
Instruction Fuzzy Hash: 4E91703060060AAADF0CEFA4C446BEEFB75FF04304F588119E95AE7251DB316999DBD2

Function 00842E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00842EAE

Part of subcall function 00841DB3: GetClientRect.USER32(?,?), ref: 00841DDC
Part of subcall function 00841DB3: GetWindowRect.USER32(?,?), ref: 00841E1D
Part of subcall function 00841DB3: ScreenToClient.USER32(?,?), ref: 00841E45

GetDC.USER32 ref: 0087CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0087CD45
SelectObject.GDI32(00000000,00000000), ref: 0087CD53
SelectObject.GDI32(00000000,00000000), ref: 0087CD68
ReleaseDC.USER32(?,00000000), ref: 0087CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0087CDFB

Strings

U, xrefs: 0087CCD0

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 86654effc4a114abd18c53308d7afb4a8ba0d3b2dc6cf500847a71db4081af53
Instruction ID: 00c8db0cbb7b4730b5edaf5ddb467c01f1074b7a6d40918b8aa340f056ae68bd
Opcode Fuzzy Hash: 86654effc4a114abd18c53308d7afb4a8ba0d3b2dc6cf500847a71db4081af53
Instruction Fuzzy Hash: 61718E31504209DFCF218F64C884AAA7FB5FF48324F14826AFD59DB2AAD731C881DB60

Function 008B1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008B1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008B1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 008B1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008B1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008B1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008B1B10
InternetCloseHandle.WININET(00000000), ref: 008B1B57

Part of subcall function 008B2483: GetLastError.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B2498
Part of subcall function 008B2483: SetEvent.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B24AD

Strings

, xrefs: 008B1B01

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 9c5b82915a38610336b8007ea10dea2d936df3993a50372c71d59e0ef2ea3bcf
Instruction ID: 93becb24150410d38461b6cd0e0e898f7822778cf46dbc1bd15abecdc1b17940
Opcode Fuzzy Hash: 9c5b82915a38610336b8007ea10dea2d936df3993a50372c71d59e0ef2ea3bcf
Instruction Fuzzy Hash: F0414CB1501219BFEF119F54CC99FFA7BADFB08354F00412AFA05DA241E770AE449BA5

Function 008B8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,008CF910), ref: 008B8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,008CF910), ref: 008B8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008B8ED6
SysFreeString.OLEAUT32(?), ref: 008B8F00

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e7adf88b027981b552db6c9b5ca01417bf50ec8e21b377a91492656acf02bff4
Instruction ID: 510ddd0a882418b066fa3db011ad0612e786a61ec3e4483e769c0eb1234b3a6b
Opcode Fuzzy Hash: e7adf88b027981b552db6c9b5ca01417bf50ec8e21b377a91492656acf02bff4
Instruction Fuzzy Hash: 27F1F471A00119EFDB14EF94C884EEEB7B9FF45314F148498E905EB251DB31AE46CB61

Function 008BF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008BF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008BF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008BF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008BF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008BF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008BFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008BFA7C
CloseHandle.KERNEL32(?), ref: 008BFAAB
CloseHandle.KERNEL32(?), ref: 008BFB22

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 49f4f446c9137d09f80feb1a487f87b102c8a6582116afb2a3c6ac7803d526a5
Instruction ID: 52d2ddbf6a9e2ba37b0f597d2b4e8fef71dc2a6a1569c7c6233e4af584d03226
Opcode Fuzzy Hash: 49f4f446c9137d09f80feb1a487f87b102c8a6582116afb2a3c6ac7803d526a5
Instruction Fuzzy Hash: 7EE17D316042509FD724EF28C881AAABBE1FF85314F14896DF999DB3A2DB31DC45CB52

Function 008A4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008A3697,?), ref: 008A468B

Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008A3697,?), ref: 008A46A4

Part of subcall function 008A4A31: GetFileAttributesW.KERNEL32(?,008A370B), ref: 008A4A32

lstrcmpiW.KERNEL32(?,?), ref: 008A4D40
_wcscmp.LIBCMT ref: 008A4D5A
MoveFileW.KERNEL32(?,?), ref: 008A4D75

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: de645e977e6dc2d9f009877f0069b43a143e8c500a11ae3a79ad3eb074b19df1
Instruction ID: 1c18e639db805e478952a47bf313fb61eef00222aa575d6060a761e8f22fa46f
Opcode Fuzzy Hash: de645e977e6dc2d9f009877f0069b43a143e8c500a11ae3a79ad3eb074b19df1
Instruction Fuzzy Hash: D15151B24083459BDB24DB64D8819DFB7ECFF85310F00192EB689D3552EF74A588C766

Function 008C8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008C86FF

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9cc11070ab96ad0117242ecab9f81884242b7b35d93909ef2f6237dc1cca49a9
Instruction ID: a9ea4d6cd8c33c6bfb5d5b6624528dcf900c7876c6617adb4a7dc086028808ab
Opcode Fuzzy Hash: 9cc11070ab96ad0117242ecab9f81884242b7b35d93909ef2f6237dc1cca49a9
Instruction Fuzzy Hash: 3151A330580258FEEF209B28DC89FAD7BB5FB15314F604129FA11E66A1DF71E980DB51

Function 00842B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0087C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0087C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0087C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0087C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0087C370
DestroyIcon.USER32(00000000), ref: 0087C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0087C39C
DestroyIcon.USER32(?), ref: 0087C3AB

Part of subcall function 008CA4AF: DeleteObject.GDI32(00000000), ref: 008CA4E8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 5797779ec2306730f749f9de2688d0ce0ba533db8e19194db6f0a828809566a4
Instruction ID: 20966d4a7e7c65cf061b367be99cb972d0befea925456cec308536d043e036a5
Opcode Fuzzy Hash: 5797779ec2306730f749f9de2688d0ce0ba533db8e19194db6f0a828809566a4
Instruction Fuzzy Hash: 12513670614209EFDB24DF64CC45FAA7BB9FB58324F508528F946D72A0D7B0E990DB50

Function 0089966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0089A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0089A84C
Part of subcall function 0089A82C: GetCurrentThreadId.KERNEL32 ref: 0089A853
Part of subcall function 0089A82C: AttachThreadInput.USER32(00000000,?,00899683,?,00000001), ref: 0089A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0089968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008996AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008996AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 008996B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008996D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008996D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 008996E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008996F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008996FB

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: dd1e3b292fa450f2413d34591e8c3e07274dae8713f9fb9d7652bd471f61525f
Instruction ID: 0e40e24b5e3c7027aab549fe7afa47e5e01588261212bb94fe267ae73453b672
Opcode Fuzzy Hash: dd1e3b292fa450f2413d34591e8c3e07274dae8713f9fb9d7652bd471f61525f
Instruction Fuzzy Hash: 1E11E571910218BEFA116F64DC49F6A3F2EFB5C795F110426F744AB0A1C9F35C10DAA4

Function 00898921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0089853C,00000B00,?,?), ref: 0089892A
HeapAlloc.KERNEL32(00000000,?,0089853C,00000B00,?,?), ref: 00898931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0089853C,00000B00,?,?), ref: 00898946
GetCurrentProcess.KERNEL32(?,00000000,?,0089853C,00000B00,?,?), ref: 0089894E
DuplicateHandle.KERNEL32(00000000,?,0089853C,00000B00,?,?), ref: 00898951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0089853C,00000B00,?,?), ref: 00898961
GetCurrentProcess.KERNEL32(0089853C,00000000,?,0089853C,00000B00,?,?), ref: 00898969
DuplicateHandle.KERNEL32(00000000,?,0089853C,00000B00,?,?), ref: 0089896C
CreateThread.KERNEL32(00000000,00000000,00898992,00000000,00000000,00000000), ref: 00898986

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 4651f599454f3484359c6f5f1af50357eff9162500a08b2246b9174e67671820
Instruction ID: 2b3469d8438bdbd8081ab8c74e3ea200647de3a40a910840938e98bb44cdbe99
Opcode Fuzzy Hash: 4651f599454f3484359c6f5f1af50357eff9162500a08b2246b9174e67671820
Instruction Fuzzy Hash: B501ACB5240304FFE611ABA5DC49F677B6DFB89711F444421FB05DB191CA7598008A20

Function 008B9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 008B9BA4, 008B9EC8
Not an Object type, xrefs: 008B9B7B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bd7bbb2e9b0d41fe9abc0a29d3623f3663c7e71a4197a8c7e5b540db96aa6765
Instruction ID: 3153096313df38f0d041329619cde2008508115c12d6927567dbe4e7f7ca343d
Opcode Fuzzy Hash: bd7bbb2e9b0d41fe9abc0a29d3623f3663c7e71a4197a8c7e5b540db96aa6765
Instruction Fuzzy Hash: BCC17171A0021A9BDF10DFA8D884AEEB7F5FB48314F158469EA45EB381E770ED45CB90

Function 008B9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008B9167
VariantInit.OLEAUT32(?), ref: 008B9238
VariantInit.OLEAUT32(?), ref: 008B9339
VariantClear.OLEAUT32(?), ref: 008B9343
VariantClear.OLEAUT32(?), ref: 008B93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008B91C8, 008B92F6, 008B93AE
Incorrect Object type in FOR..IN loop, xrefs: 008B931C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: bbdfaf049834be927607ed878d18a517b5dd4e818f99c79db89a0844ea08fe4b
Instruction ID: 6ca47e994bcddebd6b3adf7aa324805f18ad116911f18f0cfd867ec649ef65a1
Opcode Fuzzy Hash: bbdfaf049834be927607ed878d18a517b5dd4e818f99c79db89a0844ea08fe4b
Instruction Fuzzy Hash: 09915971A00219ABDF24CFA5C888FEEBBB8FF49714F108159E655EB381D7709945CBA0

Function 008B975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0089710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?,?,00897455), ref: 00897127
Part of subcall function 0089710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897142
Part of subcall function 0089710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897150
Part of subcall function 0089710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?), ref: 00897160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 008B9806
_memset.LIBCMT ref: 008B9813
_memset.LIBCMT ref: 008B9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 008B9982
CoTaskMemFree.OLE32(?), ref: 008B998D

Strings

NULL Pointer assignment, xrefs: 008B99DB

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 9851640814788d65e1e1a274a9c9fb9d56787319a00fdd075a057c8e5c646016
Instruction ID: dcd3a106b517723fe17d77c5fd0e709823e32c5819b2d3c068bcd3ac1cc63e94
Opcode Fuzzy Hash: 9851640814788d65e1e1a274a9c9fb9d56787319a00fdd075a057c8e5c646016
Instruction Fuzzy Hash: CC91147190022DEBDB10DFA5DC41EDEBBB9FF08710F20416AE519E7291EB719A44CBA1

Function 008C6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008C6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 008C6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008C6E52
_wcscat.LIBCMT ref: 008C6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 008C6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008C6EF2

Strings

SysListView32, xrefs: 008C6DF6

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: f78f234f961dd3fd8b392f9b8710553b3398346fc7d4ee4b228adfa98fb1e0d2
Instruction ID: 56057b7e37b5e278afb15fae289217ac1e930aec943c30d389c31eacd8613898
Opcode Fuzzy Hash: f78f234f961dd3fd8b392f9b8710553b3398346fc7d4ee4b228adfa98fb1e0d2
Instruction Fuzzy Hash: A3418271A00348ABEB219F64CC85FEA77B9FF08354F10446EF685D7291D672DD948B60

Function 008BE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 008A3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 008A3C7A
Part of subcall function 008A3C55: Process32FirstW.KERNEL32(00000000,?), ref: 008A3C88
Part of subcall function 008A3C55: CloseHandle.KERNEL32(00000000), ref: 008A3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008BE9A4
GetLastError.KERNEL32 ref: 008BE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008BE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 008BEA63
GetLastError.KERNEL32(00000000), ref: 008BEA6E
CloseHandle.KERNEL32(00000000), ref: 008BEAA3

Strings

SeDebugPrivilege, xrefs: 008BE9C2

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: eb2b91d4de1e24e53fc380e358e1aeb233bd36fa4c25c1c8c3dddede714fe8f9
Instruction ID: 5fff90bc31ca9aae18072ebe872ac223ba3890507375f98f98e4e62cebb4ed82
Opcode Fuzzy Hash: eb2b91d4de1e24e53fc380e358e1aeb233bd36fa4c25c1c8c3dddede714fe8f9
Instruction Fuzzy Hash: B8418A312002059FDB21EF28CC95FAEBBA5FF50314F088419FA429B3D2DB75A804CB96

Function 008A2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008A3033

Strings

question, xrefs: 008A2FEC
warning, xrefs: 008A301C
stop, xrefs: 008A3004
blank, xrefs: 008A2FB5
info, xrefs: 008A2FD4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4c049e5a783180c8a07b4a71d8e50b5b05b3b01d1454636a830365fac30e2825
Instruction ID: 4e471a22b58045f4a5e95fbf221f0d65924952d64483f25733df0f8d11216be7
Opcode Fuzzy Hash: 4c049e5a783180c8a07b4a71d8e50b5b05b3b01d1454636a830365fac30e2825
Instruction Fuzzy Hash: 14112B35348B8ABFF7149B18DC42C6B779CFF1A324B20006AFA10E6682EB755F4055A5

Function 008A42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008A4312
LoadStringW.USER32(00000000), ref: 008A4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008A432F
LoadStringW.USER32(00000000), ref: 008A4336
_wprintf.LIBCMT ref: 008A435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008A437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008A4357

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: df2de7a32fb8cedee2387ef81076c79a849eb71594ca49a4d49b615884a599d8
Instruction ID: a4513ccce6de4cd602a2130f732450aec645aec1a31856a7d9cd42e72a221560
Opcode Fuzzy Hash: df2de7a32fb8cedee2387ef81076c79a849eb71594ca49a4d49b615884a599d8
Instruction Fuzzy Hash: 2A014FF2900208BFFB1197A4DD89EE6777CFB08301F0005A6B745E2152EA749E854B75

Function 008CD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

GetSystemMetrics.USER32(0000000F), ref: 008CD47C
GetSystemMetrics.USER32(0000000F), ref: 008CD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008CD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008CD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008CD716
ShowWindow.USER32(00000003,00000000), ref: 008CD735
InvalidateRect.USER32(?,00000000,00000001), ref: 008CD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 008CD77D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a927ca408d08c3f07ec28bdc61d54a6ec9d12d1a16b5761f6926041ea4b85b01
Instruction ID: 79ca426b1c7baaf4229cb9e5024dea2a36363b618b30a05c943ce73cf0d64324
Opcode Fuzzy Hash: a927ca408d08c3f07ec28bdc61d54a6ec9d12d1a16b5761f6926041ea4b85b01
Instruction Fuzzy Hash: 92B16871600229AFDF14DF68C985BAA7BB1FF48711F09C079ED48DA295D734E950CB90

Function 00842A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000), ref: 00842ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00842B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000), ref: 0087C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0087C1C7,00000004,00000000,00000000,00000000), ref: 0087C286

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f6b8ac181d8e9399751cb4eeff7e9b1a1837de704b50263dee2accef801b0c81
Instruction ID: f3f6aae252ae2c06efc482ee5474264491784e04e7eeb2711d5c11e24c99fe71
Opcode Fuzzy Hash: f6b8ac181d8e9399751cb4eeff7e9b1a1837de704b50263dee2accef801b0c81
Instruction Fuzzy Hash: 8141243021C6889AD735CB288C8CB6B7BA2FB85314F98C81DF94BC3562C675D885D721

Function 008A70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008A70DD

Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008A7114
EnterCriticalSection.KERNEL32(?), ref: 008A7130
_memmove.LIBCMT ref: 008A717E
_memmove.LIBCMT ref: 008A719B
LeaveCriticalSection.KERNEL32(?), ref: 008A71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008A71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 008A71DE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: cd86f49cb990ffcc771c2db6eef6240f5b2266b4c09343b2a3d0e76861c7847e
Instruction ID: 188cd3172222342ac2c08e3f45351c01c1c037d0cbf985cc61d643e6a7cbf107
Opcode Fuzzy Hash: cd86f49cb990ffcc771c2db6eef6240f5b2266b4c09343b2a3d0e76861c7847e
Instruction Fuzzy Hash: FC316D71900205EBDB00DFA8DC85EAFB7B9FF45310F1541B6E904EB246DB309A10DBA5

Function 008C61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008C61EB
GetDC.USER32(00000000), ref: 008C61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008C61FE
ReleaseDC.USER32(00000000,00000000), ref: 008C620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008C6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008C6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008C902A,?,?,000000FF,00000000,?,000000FF,?), ref: 008C6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008C62B1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 846d98c0744300fd09cd0205d0aa4ab27074b98e403d0f1572dbff28d5707a72
Instruction ID: 7a6f2972e7c8832c058643a5dc35476f0b9e783e271122461470214f0c406719
Opcode Fuzzy Hash: 846d98c0744300fd09cd0205d0aa4ab27074b98e403d0f1572dbff28d5707a72
Instruction Fuzzy Hash: 54316B72201210BFEB118F50CC8AFEA3BBAFF59765F044065FE08DA292D6759C51CB60

Function 0089BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0089BBC4
_memcmp.LIBCMT ref: 0089BBE6
_memcmp.LIBCMT ref: 0089BBFE
_memcmp.LIBCMT ref: 0089BC11
_memcmp.LIBCMT ref: 0089BC2B
_memcmp.LIBCMT ref: 0089BC3E
_memcmp.LIBCMT ref: 0089BC56
_memcmp.LIBCMT ref: 0089BC71

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6c99e431ef91f1a875fa1c4943b3ae6fbdd243d538656a33c290cd6673e7b8f3
Instruction ID: 9322ea56e5edc999ac32b339ae25ae3342f759ed7a250620ecf9d784520e7c1d
Opcode Fuzzy Hash: 6c99e431ef91f1a875fa1c4943b3ae6fbdd243d538656a33c290cd6673e7b8f3
Instruction Fuzzy Hash: A52171A16012097BAE047615AE42FBB735EFF6039CF0C4011FD04DA787EF58DE1182A6

Function 008AEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9

_wcstok.LIBCMT ref: 008AEC94
_wcscpy.LIBCMT ref: 008AED23
_memset.LIBCMT ref: 008AED56

Strings

X, xrefs: 008AED93

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ced909b5076894bb29619e94fcd810b916d543466f98c110f74f8ef20a096fc2
Instruction ID: afcc0c18171c25c1be81f139e314e60680104f95312e8088451eb2bc44ff1931
Opcode Fuzzy Hash: ced909b5076894bb29619e94fcd810b916d543466f98c110f74f8ef20a096fc2
Instruction Fuzzy Hash: 13C149716087149FD764EF28C885A6AB7E4FF85310F00492DF999DB6A2DB70E845CB83

Function 00841424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5ca9fe9372c5e593452f22ba8bd45ae23d6b4c6cc3cb3b6835a0c920eee135
Instruction ID: b30decd15277d26c96647260bae9d1096e74d99c5fa7cf9caafe9090b104fc17
Opcode Fuzzy Hash: cd5ca9fe9372c5e593452f22ba8bd45ae23d6b4c6cc3cb3b6835a0c920eee135
Instruction Fuzzy Hash: 7C71493090010DEFDF05CF98CC89AAEBB7AFF85354F148159F915EA251C734AA91CBA4

Function 008B6B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cab0c1215be3585faee5c40f61570ec72ff88dfc102909e82580361dce5ed39
Instruction ID: 06c3a23ce16216129e5c429bd084ec466c42a9e88c9a82a7fa3c58826828524a
Opcode Fuzzy Hash: 1cab0c1215be3585faee5c40f61570ec72ff88dfc102909e82580361dce5ed39
Instruction Fuzzy Hash: FF61BE71204304ABD720EB28CC82EAFB7A8FF94714F144919F595DB292EB759D14CB92

Function 008CB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F36480), ref: 008CB3EB
IsWindowEnabled.USER32(00F36480), ref: 008CB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 008CB4DB
SendMessageW.USER32(00F36480,000000B0,?,?), ref: 008CB512
IsDlgButtonChecked.USER32(?,?), ref: 008CB54F
GetWindowLongW.USER32(00F36480,000000EC), ref: 008CB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008CB589

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 32c9580f424b209a8312dbe3c038923349bbc6943fc01a37112c3a8c1a05545e
Instruction ID: 556d47dd2f1338704051f7461d7c149c0b8b5466d5e5051a610dc36b83394911
Opcode Fuzzy Hash: 32c9580f424b209a8312dbe3c038923349bbc6943fc01a37112c3a8c1a05545e
Instruction Fuzzy Hash: 37718E34608A44EFEB249F64C896FAA7BBAFF09300F14415DEA45D73A2C731E940DB54

Function 008BF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008BF448
_memset.LIBCMT ref: 008BF511
ShellExecuteExW.SHELL32(?), ref: 008BF556

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9

GetProcessId.KERNEL32(00000000), ref: 008BF5CD
CloseHandle.KERNEL32(00000000), ref: 008BF5FC

Strings

@, xrefs: 008BF525

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 5ad6fb85973e722d56604a58a54bc7d0fe6a9998a2076f7fed9dced46c0b896c
Instruction ID: 644b5ccb02dd8922936d536057994fdb705eb8a54fe3d231bc392ff89cf8c7f2
Opcode Fuzzy Hash: 5ad6fb85973e722d56604a58a54bc7d0fe6a9998a2076f7fed9dced46c0b896c
Instruction Fuzzy Hash: 7761BD75A00619DFCB24EF68C8819AEBBF5FF48310F148069E959EB352CB31AD41CB85

Function 008A0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008A0F8C
GetKeyboardState.USER32(?), ref: 008A0FA1
SetKeyboardState.USER32(?), ref: 008A1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 008A1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 008A104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 008A1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008A10B8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 06e23ab80df4c2008be2a3dcaa58fe347716abbce3c1b41fab7bc1542a38ec1d
Instruction ID: 6aae1ffd48a561ad07bb3b8fef9cd121c0d192a2dba6bf6518fc512a0a414b36
Opcode Fuzzy Hash: 06e23ab80df4c2008be2a3dcaa58fe347716abbce3c1b41fab7bc1542a38ec1d
Instruction Fuzzy Hash: 9B51C160604AD53DFF3642388C19BB6BEA9BB07304F088589E2D5D5CD3C6A9ECD4DB51

Function 008A0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008A0DA5
GetKeyboardState.USER32(?), ref: 008A0DBA
SetKeyboardState.USER32(?), ref: 008A0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008A0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008A0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008A0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008A0EC9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 740038ffb7e086bb575363a3f053e5c2c382cc595c03efcf9e5aa6a9f673ed31
Instruction ID: 7fb36715509f236b732de165d65c321562aaf7280abef0974d4db3c24af4462e
Opcode Fuzzy Hash: 740038ffb7e086bb575363a3f053e5c2c382cc595c03efcf9e5aa6a9f673ed31
Instruction Fuzzy Hash: 5F51E4A15486D53DFB3283648C45B7A7EA9FB07300F088989E2D4D6CC2D795ECA8EB51

Function 008A55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008A560A
_wcsncpy.LIBCMT ref: 008A563F
_wcsncpy.LIBCMT ref: 008A5671
_wcsncpy.LIBCMT ref: 008A56A4
_wcsncpy.LIBCMT ref: 008A56E6
_wcsncpy.LIBCMT ref: 008A5720
_wcsncpy.LIBCMT ref: 008A574F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ed4ab9581b57f7f8f7fa57116fce4528846869ad9010d2aa02176884c4a3064c
Instruction ID: a7ca46fd6604856cffdb533441930c7af13d205cc6363b2397b7a02632643800
Opcode Fuzzy Hash: ed4ab9581b57f7f8f7fa57116fce4528846869ad9010d2aa02176884c4a3064c
Instruction Fuzzy Hash: 7341D865C10628B6DB11EBB88C86ACFB3B8FF05310F514456E515E3161FB34A285C7A7

Function 00842344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00842357
ScreenToClient.USER32(009057B0,?), ref: 00842374
GetAsyncKeyState.USER32(00000001), ref: 00842399
GetAsyncKeyState.USER32(00000002), ref: 008423A7

Strings

fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0, xrefs: 0087BFF9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0
API String ID: 4210589936-2153139032
Opcode ID: ccc5a33600f9fcfdaa557486f1cabb8ee34e4534fb966f3893eec5446659b29c
Instruction ID: 640fe880eb2b8a176c6909d4b692222d64b4c5e5906d3200f13c245e586efa16
Opcode Fuzzy Hash: ccc5a33600f9fcfdaa557486f1cabb8ee34e4534fb966f3893eec5446659b29c
Instruction Fuzzy Hash: 5E419135608509FBDF159F68C844FE9BB75FB05364F20836AF828D62A0CB349990DF91

Function 008A3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008A3697,?), ref: 008A468B

Part of subcall function 008A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008A3697,?), ref: 008A46A4

lstrcmpiW.KERNEL32(?,?), ref: 008A36B7
_wcscmp.LIBCMT ref: 008A36D3
MoveFileW.KERNEL32(?,?), ref: 008A36EB
_wcscat.LIBCMT ref: 008A3733
SHFileOperationW.SHELL32(?), ref: 008A379F

Strings

\*.*, xrefs: 008A372D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: eb08e3f83e58ecba7fd28744ab2823cb4516b9853bf33be234f725abd3ccc2ae
Instruction ID: b6b472e29210a590deeedcbc8417ec862a3779f88f97d4a435f30d0f1c8ef4f9
Opcode Fuzzy Hash: eb08e3f83e58ecba7fd28744ab2823cb4516b9853bf33be234f725abd3ccc2ae
Instruction Fuzzy Hash: 98419F71508344AEE752EF68C4419DFB7E8FF8A380F40086EB49AC3651EA74D689C752

Function 008C7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008C72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008C7351
IsMenu.USER32(?), ref: 008C7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008C73B1
DrawMenuBar.USER32 ref: 008C73C4

Strings

0, xrefs: 008C729E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: e4c49e6afee7f362225a8f2292b591f332b7237a6a2fe98c899c4d46154d3128
Instruction ID: a9811cd504de63c82bb01701731545d32926d8f57329a969e2d6af2bec7a74ea
Opcode Fuzzy Hash: e4c49e6afee7f362225a8f2292b591f332b7237a6a2fe98c899c4d46154d3128
Instruction Fuzzy Hash: 61411375A04248AFDB20DF60D884E9ABBB9FB08354F648529FD05AB390D730ED50EF50

Function 008C0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 008C0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008C0FFE
FreeLibrary.KERNEL32(00000000), ref: 008C10B5

Part of subcall function 008C0FA5: RegCloseKey.ADVAPI32(?), ref: 008C101B
Part of subcall function 008C0FA5: FreeLibrary.KERNEL32(?), ref: 008C106D
Part of subcall function 008C0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 008C1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 008C1058

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 0f03feed0c440f07c0a7f8f05a0926bd36c072a391ed9662f52c3848cfd4af9b
Instruction ID: b509d6d2b44e72a20b8d5b0f83e15c2da91e95158e6986d4972d728ee4c0da98
Opcode Fuzzy Hash: 0f03feed0c440f07c0a7f8f05a0926bd36c072a391ed9662f52c3848cfd4af9b
Instruction Fuzzy Hash: FB310771900509EFEB159B94DC89EFEB7BCFB09340F00416AE611E2142EB749E899AA0

Function 008C62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008C62EC
GetWindowLongW.USER32(00F36480,000000F0), ref: 008C631F
GetWindowLongW.USER32(00F36480,000000F0), ref: 008C6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008C6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008C63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 008C63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008C63DB

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 003d63e8ba2d242b3014c5e16403aad5c9d5a04109608dfc4e1a0bb9948e45e5
Instruction ID: f959f3818003f96eed644192aa1a387801d9ab033e077b4a40ef6c9a62803498
Opcode Fuzzy Hash: 003d63e8ba2d242b3014c5e16403aad5c9d5a04109608dfc4e1a0bb9948e45e5
Instruction Fuzzy Hash: 8231CC30648291AFEB208F28D884F5937B1FB5A714F1941B8FA01DB2B2DA71E850EB51

Function 0089DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DB54
SysAllocString.OLEAUT32(00000000), ref: 0089DB57
SysAllocString.OLEAUT32(?), ref: 0089DB75
SysFreeString.OLEAUT32(?), ref: 0089DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0089DBA3
SysAllocString.OLEAUT32(?), ref: 0089DBB1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9db398c13fb3834506d0c024330ec1b99b5c6b46687508c0fe13722eeb13a55b
Instruction ID: 94525acbd9f5a9deb557eeea35bc5f1d647667cef997843911da8a96d51fdcd2
Opcode Fuzzy Hash: 9db398c13fb3834506d0c024330ec1b99b5c6b46687508c0fe13722eeb13a55b
Instruction Fuzzy Hash: DD218176600219AFAF10EFA8DC88CBB73ADFB09374B058526FE15DB251D6749C418768

Function 008B6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008B7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008B61C6
WSAGetLastError.WSOCK32(00000000), ref: 008B61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008B620E
connect.WSOCK32(00000000,?,00000010), ref: 008B6217
WSAGetLastError.WSOCK32 ref: 008B6221
closesocket.WSOCK32(00000000), ref: 008B624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008B6263

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 3cc2df1b1df6ddbe95ca4dd05fcdb4e1ee46187a63773f18372112048f48db8b
Instruction ID: 363d42ad6b32fc051df8e609a548c2b4126e6c4070bfc4f4c49cd9c5093cfe1b
Opcode Fuzzy Hash: 3cc2df1b1df6ddbe95ca4dd05fcdb4e1ee46187a63773f18372112048f48db8b
Instruction Fuzzy Hash: 7F317231600118ABEF10AF68DC85FBE77B9FF45764F044029FA05D7292DB74AD148B62

Function 0089F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0089F671
__wcsnicmp.LIBCMT ref: 0089F692
__wcsnicmp.LIBCMT ref: 0089F6AC

Strings

#OnAutoItStartRegister, xrefs: 0089F6A6
#notrayicon, xrefs: 0089F669
#requireadmin, xrefs: 0089F68C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 788592ce5deac36675af74a520d214caf6815c302319ef4cbd0f9341fbd38aba
Instruction ID: 32b75e1fccbef147fe336dde5c351242a6e1277fb6f475c9b573f3be20128269
Opcode Fuzzy Hash: 788592ce5deac36675af74a520d214caf6815c302319ef4cbd0f9341fbd38aba
Instruction Fuzzy Hash: 11216A722042517ACA29B638AC02FA773D8FF65314F18443AF642C6153FB519D41C396

Function 0089DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0089DC2F
SysAllocString.OLEAUT32(00000000), ref: 0089DC32
SysAllocString.OLEAUT32 ref: 0089DC53
SysFreeString.OLEAUT32 ref: 0089DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0089DC76
SysAllocString.OLEAUT32(?), ref: 0089DC84

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 830f51214100dd0a35faabf5eeddee3fc329087e7cfa5171b93b7b6e0b7f4d76
Instruction ID: 38bc6d29b82af20ed98d65ff6a8ba8b60f9a3ec29985645be275439af72c8791
Opcode Fuzzy Hash: 830f51214100dd0a35faabf5eeddee3fc329087e7cfa5171b93b7b6e0b7f4d76
Instruction Fuzzy Hash: B5217435604204AFAF14EFA8DC88DAB77EDFB08364B148125FA15CB261D674DC41CB68

Function 008C75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00841D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00841D73
Part of subcall function 00841D35: GetStockObject.GDI32(00000011), ref: 00841D87
Part of subcall function 00841D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00841D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008C7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008C763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008C764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008C7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008C7665

Strings

Msctls_Progress32, xrefs: 008C7603

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 54e6bd236948305da2456facf8857c2b0d2b5de0f3f2f29f44910cab98497886
Instruction ID: f5f5627218d672eac02b01f11e20ec0d77a9ff282e5f54f0855a6369148bfddd
Opcode Fuzzy Hash: 54e6bd236948305da2456facf8857c2b0d2b5de0f3f2f29f44910cab98497886
Instruction Fuzzy Hash: 7E118EB211021DBFEF118F64CC85EE77F6DFF08798F014115BA04A20A0CA729C21DBA4

Function 00869AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00869AE6

Part of subcall function 00863187: EncodePointer.KERNEL32(00000000), ref: 0086318A
Part of subcall function 00863187: __initp_misc_winsig.LIBCMT ref: 008631A5
Part of subcall function 00863187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00869EA0
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00869EB4
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00869EC7
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00869EDA
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00869EED
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00869F00
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00869F13
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00869F26
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00869F39
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00869F4C
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00869F5F
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00869F72
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00869F85
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00869F98
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00869FAB
Part of subcall function 00863187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00869FBE

__mtinitlocks.LIBCMT ref: 00869AEB
__mtterm.LIBCMT ref: 00869AF4

Part of subcall function 00869B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00869AF9,00867CD0,008FA0B8,00000014), ref: 00869C56
Part of subcall function 00869B5C: _free.LIBCMT ref: 00869C5D
Part of subcall function 00869B5C: DeleteCriticalSection.KERNEL32(008FEC00,?,?,00869AF9,00867CD0,008FA0B8,00000014), ref: 00869C7F

__calloc_crt.LIBCMT ref: 00869B19
__initptd.LIBCMT ref: 00869B3B
GetCurrentThreadId.KERNEL32 ref: 00869B42

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 5bd4ee6406addb827f43475c399fde7115f0c4b9bea08beab343342b482621b3
Instruction ID: 9826d8151849d5053993a765b15196b073e945822d666a4341ac666522cf6067
Opcode Fuzzy Hash: 5bd4ee6406addb827f43475c399fde7115f0c4b9bea08beab343342b482621b3
Instruction Fuzzy Hash: C3F096326097215AEA357B7C7C03A5A36DDFF02731F23062AF5E4C61D2EF7084414562

Function 0086406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00863F85), ref: 00864085
GetProcAddress.KERNEL32(00000000), ref: 0086408C
EncodePointer.KERNEL32(00000000), ref: 00864097
DecodePointer.KERNEL32(00863F85), ref: 008640B2

Strings

combase.dll, xrefs: 00864080
RoUninitialize, xrefs: 00864074

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 9dbb75d8784b0738d8baa77dcd47f2ad025258f77776c3766862eca465969ed5
Instruction ID: 2b37dd66c2974560e80d7ff3840e31aab1d1875e01a1bd2e73376f691a681aa6
Opcode Fuzzy Hash: 9dbb75d8784b0738d8baa77dcd47f2ad025258f77776c3766862eca465969ed5
Instruction Fuzzy Hash: 22E0B670599300EFEB90AF71EC0DF053ABAF718742F11812AF211E12A1CBB74604EB15

Function 00841DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00841DDC
GetWindowRect.USER32(?,?), ref: 00841E1D
ScreenToClient.USER32(?,?), ref: 00841E45
GetClientRect.USER32(?,?), ref: 00841F74
GetWindowRect.USER32(?,?), ref: 00841F8D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: dba73d046efb02b4ff0f1e382bea7058ed1342a9cf09fa84a559c4b016fc0c2c
Instruction ID: e4d76c81b85ad1ae9a3164a2980df4ea120dea72d2c9ed31edf0a7d44117de86
Opcode Fuzzy Hash: dba73d046efb02b4ff0f1e382bea7058ed1342a9cf09fa84a559c4b016fc0c2c
Instruction Fuzzy Hash: 06B12779A0024EDBDF10CFA8C584BEAB7B1FF08714F148529EC59DB255EB30AA85CB54

Function 008A64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008A660B
_memmove.LIBCMT ref: 008A6546

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

_memmove.LIBCMT ref: 008A65B9
_memmove.LIBCMT ref: 008A66A0
_memmove.LIBCMT ref: 008A66B9
_memmove.LIBCMT ref: 008A66D5

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction ID: 219886b750e8e30c398323a6b51cecc07a6678762cef86dc3f0d10741b3a90e9
Opcode Fuzzy Hash: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction Fuzzy Hash: 7661AC3090065E9BDF11EF68CC82AFF37A5FF56308F094529F8599B192EB35A811CB52

Function 008C01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 008C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008C02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008C0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008C0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008C038C
RegCloseKey.ADVAPI32(00000000), ref: 008C0399

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 3f8cc3fab7f55c10a6a22203fb03d12368128e60241d98be6ee9a44224c91f02
Instruction ID: 4cef376e1081cbac2589dd6423b1a0969c0ddb89ad7c169c3871a175d61a0882
Opcode Fuzzy Hash: 3f8cc3fab7f55c10a6a22203fb03d12368128e60241d98be6ee9a44224c91f02
Instruction Fuzzy Hash: E8512531208244AFDB11EB68C885E6EBBB9FF84754F04491DF595C72A2DB31E905CF52

Function 008C5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008C57FB
GetMenuItemCount.USER32(00000000), ref: 008C5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008C585A
GetMenuItemID.USER32(?,?), ref: 008C58C9
GetSubMenu.USER32(?,?), ref: 008C58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 008C5928

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 33376915abff1651b0eae15cbb411583f2739a00310f8fbcb009bfe670385d45
Instruction ID: 2818e4401e70453039735873d3658b3183ea8ee0f72ad336155133f1ee7e0d55
Opcode Fuzzy Hash: 33376915abff1651b0eae15cbb411583f2739a00310f8fbcb009bfe670385d45
Instruction Fuzzy Hash: 83515C31A00619AFDF11DF68C845EAEBBB5FF48320F104069E941EB351CB75AE818B91

Function 0089EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0089EF06
VariantClear.OLEAUT32(00000013), ref: 0089EF78
VariantClear.OLEAUT32(00000000), ref: 0089EFD3
_memmove.LIBCMT ref: 0089EFFD
VariantClear.OLEAUT32(?), ref: 0089F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0089F078

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 725485b709dda26a087ef8751798eccb6d6398caea7ad8ad2d79956bd125fed3
Instruction ID: b333cc90dee5e0661a255f4b25da0486f3344514fa2e87e437ea030209bea4f0
Opcode Fuzzy Hash: 725485b709dda26a087ef8751798eccb6d6398caea7ad8ad2d79956bd125fed3
Instruction Fuzzy Hash: D6516D75A00209DFDB14DF58C880AAAB7F9FF4C314B15856AEA59DB302E735E911CF90

Function 008A220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A22A3
IsMenu.USER32(00000000), ref: 008A22C3
CreatePopupMenu.USER32 ref: 008A22F7
GetMenuItemCount.USER32(000000FF), ref: 008A2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008A2386

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e80cd56292c5605b5551b9600cc21026e432e179376f31fad08e58d7a9b401e9
Instruction ID: 06f3af5a93ff6590e152b79140c670a19b579a0c3cfda3b9cd9d6e7f705ea045
Opcode Fuzzy Hash: e80cd56292c5605b5551b9600cc21026e432e179376f31fad08e58d7a9b401e9
Instruction Fuzzy Hash: B9517630600209ABEF35CF6CD888BAEBBA5FF47318F104269E811E76A1D3759904CB51

Function 00841765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0084179A
GetWindowRect.USER32(?,?), ref: 008417FE
ScreenToClient.USER32(?,?), ref: 0084181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0084182C
EndPaint.USER32(?,?), ref: 00841876

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 705ec3c036123187c058d1ca6cd1af67905b4d3187adc81e1c274554015b02cd
Instruction ID: fb6e6be6be28e3e467aa29a99e211f6041181a2e5ae3b2790be74ce8c224bc15
Opcode Fuzzy Hash: 705ec3c036123187c058d1ca6cd1af67905b4d3187adc81e1c274554015b02cd
Instruction Fuzzy Hash: 33418F301047089FDB11DF24C888FAA7BF9FB59764F144639FAA4C71A2C7309885DB62

Function 008CB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(009057B0,00000000,00F36480,?,?,009057B0,?,008CB5A8,?,?), ref: 008CB712
EnableWindow.USER32(00000000,00000000), ref: 008CB736
ShowWindow.USER32(009057B0,00000000,00F36480,?,?,009057B0,?,008CB5A8,?,?), ref: 008CB796
ShowWindow.USER32(00000000,00000004,?,008CB5A8,?,?), ref: 008CB7A8
EnableWindow.USER32(00000000,00000001), ref: 008CB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 008CB7EF

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 548a84d44cfff4a00a8c2682022b584de93554babd295c5d828a03bfa32a2a62
Instruction ID: 15874abdc40c2e0b3a7e746762c10efbcbe8e761a60ba6b7bdb7301adc7c1c4e
Opcode Fuzzy Hash: 548a84d44cfff4a00a8c2682022b584de93554babd295c5d828a03bfa32a2a62
Instruction Fuzzy Hash: E5411834601644AFDB26CF28C49AF957BB1FB45314F1881A9EE48CF6A2CB31E856CB51

Function 008B709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,008B4E41,?,?,00000000,00000001), ref: 008B70AC

Part of subcall function 008B39A0: GetWindowRect.USER32(?,?), ref: 008B39B3

GetDesktopWindow.USER32 ref: 008B70D6
GetWindowRect.USER32(00000000), ref: 008B70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008B710F

Part of subcall function 008A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC

GetCursorPos.USER32(?), ref: 008B713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008B7199

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ae2603c159e48998bb86ccfa95938d10729f0c86d819c4e5d74db9e32e26b4f8
Instruction ID: c4e769e53a19a03cd41eed7f550195e8b64569c2079e1a48acca1b1086ace616
Opcode Fuzzy Hash: ae2603c159e48998bb86ccfa95938d10729f0c86d819c4e5d74db9e32e26b4f8
Instruction Fuzzy Hash: A331B472505305ABD720DF18C849F9BB7AAFFC9314F000519F585D7291D770EA09CB92

Function 00898879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008980A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008980C0
Part of subcall function 008980A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008980CA
Part of subcall function 008980A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008980D9
Part of subcall function 008980A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008980E0
Part of subcall function 008980A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008980F6

GetLengthSid.ADVAPI32(?,00000000,0089842F), ref: 008988CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008988D6
HeapAlloc.KERNEL32(00000000), ref: 008988DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 008988F6
GetProcessHeap.KERNEL32(00000000,00000000,0089842F), ref: 0089890A
HeapFree.KERNEL32(00000000), ref: 00898911

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 673cb7a15907c3ce5ae323bbaa43308289a838f9cef82558a1cf15aca80695aa
Instruction ID: 17f9595761836eaeaf58c9438b51ca45f4015fc8e5ef7e81830b1112152a6d0a
Opcode Fuzzy Hash: 673cb7a15907c3ce5ae323bbaa43308289a838f9cef82558a1cf15aca80695aa
Instruction Fuzzy Hash: 89119D7160160AEFEF11AFA4DC09FBE7B79FB46315F18402AE946E7211CB329900DB60

Function 008985B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008985E2
OpenProcessToken.ADVAPI32(00000000), ref: 008985E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008985F8
CloseHandle.KERNEL32(00000004), ref: 00898603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00898632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00898646

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a5e447390dff30d2220c7dab27170538ba47ccf24f94b2f94a79fe827f244db0
Instruction ID: ed7343a0408c47151aa5c97889aa5f8adebb6f285cb96db88d8b32ff27d90855
Opcode Fuzzy Hash: a5e447390dff30d2220c7dab27170538ba47ccf24f94b2f94a79fe827f244db0
Instruction Fuzzy Hash: 44114A7250024AEBEF029FA4DD49FDA7BB9FB49304F084065FE05A2161C7719D64DB60

Function 0089B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0089B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0089B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0089B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0089B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0089B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0089B7FE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9cc684734bd2eae96dcfc1b2c8d3f9d00a9ac3c74915e57b436ab76ded557a34
Instruction ID: e2910268a79f9fbb26f466c753c4b014926f19d83668ae52e1085057b9b551d2
Opcode Fuzzy Hash: 9cc684734bd2eae96dcfc1b2c8d3f9d00a9ac3c74915e57b436ab76ded557a34
Instruction Fuzzy Hash: 45017175A00209BBEF10ABE69D45E5EBFB9FB48711F044066FA04E7291D6309C00CF91

Function 00860162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00860193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0086019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008601A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008601B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 008601B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 008601C1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 65a52df6d2eb34ebe2a78b4fe88c75519c02912139119d70425ab734ea6cff67
Instruction ID: bf19f4a420a88808a42b6bbd1cfa769d52ae37c4e7c3aab11a9f46077d44d8da
Opcode Fuzzy Hash: 65a52df6d2eb34ebe2a78b4fe88c75519c02912139119d70425ab734ea6cff67
Instruction Fuzzy Hash: 92016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C47942C7F5A864CBE5

Function 008A53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008A53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008A540F
GetWindowThreadProcessId.USER32(?,?), ref: 008A541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008A542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008A5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008A543E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 371ab7b2955f85c28582b29ce9868e83c7bb1efa56ba0c0738296fea3f6408fc
Instruction ID: 13559c67f48f224dece4c7c44ba42dc89b292d386cfde12105a633f61787551f
Opcode Fuzzy Hash: 371ab7b2955f85c28582b29ce9868e83c7bb1efa56ba0c0738296fea3f6408fc
Instruction Fuzzy Hash: FCF06D72241558BBF3215BA2DC0DEAB7A7DFBCAB11F00016AFA05D105296B11A0186B5

Function 008A7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 008A7243
EnterCriticalSection.KERNEL32(?,?,00850EE4,?,?), ref: 008A7254
TerminateThread.KERNEL32(00000000,000001F6,?,00850EE4,?,?), ref: 008A7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00850EE4,?,?), ref: 008A726E

Part of subcall function 008A6C35: CloseHandle.KERNEL32(00000000,?,008A727B,?,00850EE4,?,?), ref: 008A6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 008A7281
LeaveCriticalSection.KERNEL32(?,?,00850EE4,?,?), ref: 008A7288

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7518e08ad1ec4d22b3b24bfb5feb85da08b993184be40c6e124c0fed6fecd7f5
Instruction ID: f956aef7d8c6f240d224289c845f7aa4dfd44ddd627c56d5dea763ee6dd5a43f
Opcode Fuzzy Hash: 7518e08ad1ec4d22b3b24bfb5feb85da08b993184be40c6e124c0fed6fecd7f5
Instruction Fuzzy Hash: 9EF05E36540612EBF7121B64ED4CEDA773BFF45712B140532F703914A6DB765811DB50

Function 00898992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0089899D
UnloadUserProfile.USERENV(?,?), ref: 008989A9
CloseHandle.KERNEL32(?), ref: 008989B2
CloseHandle.KERNEL32(?), ref: 008989BA
GetProcessHeap.KERNEL32(00000000,?), ref: 008989C3
HeapFree.KERNEL32(00000000), ref: 008989CA

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cd02521338f3a960ef7c3cd0ad822e49ef86e76094d76e32019a4915a8a9dc05
Instruction ID: db511dcc78546455d9254ca85b93bcfdf89667963bf15cb70fb95b6d5a0e56aa
Opcode Fuzzy Hash: cd02521338f3a960ef7c3cd0ad822e49ef86e76094d76e32019a4915a8a9dc05
Instruction Fuzzy Hash: 57E0C236004401FBEA021FF2EC0CD0ABB7AFB89322B148232F31981171CB329420DB50

Function 008B85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008B8613
CharUpperBuffW.USER32(?,?), ref: 008B8722
VariantClear.OLEAUT32(?), ref: 008B889A

Part of subcall function 008A7562: VariantInit.OLEAUT32(00000000), ref: 008A75A2
Part of subcall function 008A7562: VariantCopy.OLEAUT32(00000000,?), ref: 008A75AB
Part of subcall function 008A7562: VariantClear.OLEAUT32(00000000), ref: 008A75B7

Strings

Incorrect Parameter format, xrefs: 008B864B, 008B880D
AUTOIT.ERROR, xrefs: 008B8728

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 59ef0b5ae09046387ba869caf2a7d621ca3615ffaaa5d64061444ba83dafc54a
Instruction ID: f75accf47c7e270a09d54b00622a4611fe7b8c21f8c1bcb56fa67e545f5b5560
Opcode Fuzzy Hash: 59ef0b5ae09046387ba869caf2a7d621ca3615ffaaa5d64061444ba83dafc54a
Instruction Fuzzy Hash: 14912670604305DFCB10DF28C48499ABBE8FB89714F14896EF99ACB362DB31E905CB52

Function 008A2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9

_memset.LIBCMT ref: 008A2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008A2C97

Strings

0, xrefs: 008A2B73

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: ade2605f917da643d7dd2fe530610ba87f5efa2c88e532d88b329a55b41b4bcd
Instruction ID: 0575c7549065c257c7a85bef8ee84c7ee7909ae289c5e792e02f4ea2f22b905f
Opcode Fuzzy Hash: ade2605f917da643d7dd2fe530610ba87f5efa2c88e532d88b329a55b41b4bcd
Instruction Fuzzy Hash: F35198716083119FE7349F2CC845A6FB7E9FB9A320F040A29F995D3591DB60CD04CBA2

Function 0089D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0089D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0089D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0089D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0089D69D

Strings

DllGetClassObject, xrefs: 0089D610

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a7059e9e830869d118edb841a7f9eefbbd9c1913b37a9d746e35785329766bbb
Instruction ID: 6e10f2b4a15578f195f32b37d5ca0ac325eb47b46b96efdf71aba7bda977a55c
Opcode Fuzzy Hash: a7059e9e830869d118edb841a7f9eefbbd9c1913b37a9d746e35785329766bbb
Instruction Fuzzy Hash: 4C416DB1600305EFDF06EF64C884A9A7BB9FF54314B1981AAA909DF206D7B1D944CBE4

Function 008A2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008A27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 008A2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00905890,00000000), ref: 008A286B

Strings

0, xrefs: 008A27B5

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 580148f4841de1cdb86b1f7adf063be53ad4e6a3011eee8a74bc32e19eaadbf9
Instruction ID: da979408a234ef752d512862d030a83d0f51e74142752ecf4fb5bf355a9b5613
Opcode Fuzzy Hash: 580148f4841de1cdb86b1f7adf063be53ad4e6a3011eee8a74bc32e19eaadbf9
Instruction Fuzzy Hash: B9418D706043419FEB20DF2CC844B1ABBE9FF86314F14492DF9A5D7692DB34A905CB52

Function 008A0AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 008A0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 008A0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008A0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008A0BFB

Strings

fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0, xrefs: 008A0B5D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0
API String ID: 432972143-2153139032
Opcode ID: fcb281c5fa4ae6f27397914b9951b8fae60f3ce467b67b69726384c5b4fe8d01
Instruction ID: 86b822acbfd25b0b939036715cd86eff6e8a68b9bf5234627e71f9bfd2693ddf
Opcode Fuzzy Hash: fcb281c5fa4ae6f27397914b9951b8fae60f3ce467b67b69726384c5b4fe8d01
Instruction Fuzzy Hash: 6F313930A406186EFF348B698D05BF9BBA5FB47338F08425AE580D25D2C37589429B72

Function 008A0C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 008A0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 008A0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 008A0CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 008A0D33

Strings

fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0, xrefs: 008A0C9F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: fewc6dfew76dfew46dfew56dfewa6dfewc6dfew06dfew16dfew06dfew06dfew06dfew06dfew06dfew06dfewb6dfew96dfew46dfew36dfew06dfew06dfew06dfew0
API String ID: 432972143-2153139032
Opcode ID: e59f61ea6dba5f408532004f69f30a1ca70ddcd336624360f507a5eba06bf428
Instruction ID: fb7f16829c873e0c40c7b0de12be785ffd88215018b7fc5ff796034245367db3
Opcode Fuzzy Hash: e59f61ea6dba5f408532004f69f30a1ca70ddcd336624360f507a5eba06bf428
Instruction Fuzzy Hash: 9A312630A4021C6FFF348B698805BFEBBB6FB47320F18431AE585D29D1D33999559B52

Function 008BD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008BD7C5

Part of subcall function 0084784B: _memmove.LIBCMT ref: 00847899

Strings

none, xrefs: 008BD8A0
stdcall, xrefs: 008BD847
winapi, xrefs: 008BD836
cdecl, xrefs: 008BD81C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 5c9b35f0b18338d53d41984e601c570fa774fd9e0f21959aa7a96e18deec77e1
Instruction ID: 2dce55434be28fd3df4abdf2bffd5b3b87f419cde386f7545fa3c2c012c7d977
Opcode Fuzzy Hash: 5c9b35f0b18338d53d41984e601c570fa774fd9e0f21959aa7a96e18deec77e1
Instruction Fuzzy Hash: 74316E71904619ABCF00EFA8C8519FEB7B5FF14720B108A29E965D77D2EB71A905CB80

Function 00898E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00898F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00898F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00898F57

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

Strings

ListBox, xrefs: 00898ED3
ComboBox, xrefs: 00898E9E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 3875838d6272ea43fc61568dfe727a5eefa4e14d9c5603a33501afa1a5407f4f
Instruction ID: cdf24815fc4255f4ad30e6fb348e80ed16dac0444b9a2411a71024381e409a5e
Opcode Fuzzy Hash: 3875838d6272ea43fc61568dfe727a5eefa4e14d9c5603a33501afa1a5407f4f
Instruction Fuzzy Hash: 6921E171A00109BEEF14ABB48C45DFFBB69FF06360B084529F421E72E1DF394809D610

Function 008B182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008B184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008B1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008B18A2
InternetCloseHandle.WININET(00000000), ref: 008B18E9

Part of subcall function 008B2483: GetLastError.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B2498
Part of subcall function 008B2483: SetEvent.KERNEL32(?,?,008B1817,00000000,00000000,00000001), ref: 008B24AD

Strings

, xrefs: 008B1893

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 57f3d36c2c11156999d0627a2e7fd84dd278444331541c88b7ca4ffd5ac17ae5
Instruction ID: 368f81777b963d98abbd2c73ef4bae46dcf19613b66a8f32c3d00060f6aa49c6
Opcode Fuzzy Hash: 57f3d36c2c11156999d0627a2e7fd84dd278444331541c88b7ca4ffd5ac17ae5
Instruction Fuzzy Hash: E2217CB1500208BFEB219B649C99EFB76AEFB48744F50413AF905EA640EA309E0597A1

Function 008C63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00841D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00841D73
Part of subcall function 00841D35: GetStockObject.GDI32(00000011), ref: 00841D87
Part of subcall function 00841D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00841D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008C6461
LoadLibraryW.KERNEL32(?), ref: 008C6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008C647D
DestroyWindow.USER32(?), ref: 008C6485

Strings

SysAnimate32, xrefs: 008C643C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 52ed864028ad89bbf368f0a8a5ca3692ff959d2dab06145831dd4cf30aa4de52
Instruction ID: 9290f2ed88d23bce5de01eb4342f83674c31baaa10aaeec74384aeb2f4cb0138
Opcode Fuzzy Hash: 52ed864028ad89bbf368f0a8a5ca3692ff959d2dab06145831dd4cf30aa4de52
Instruction Fuzzy Hash: 81217971200209ABEF148F64DC84FBA37BDFF58328F104639FA10D2191E631DC61A764

Function 008A6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008A6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008A6DEF
GetStdHandle.KERNEL32(0000000C), ref: 008A6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008A6E3B

Strings

nul, xrefs: 008A6E36

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 498d76c88161d4a0b970fe8e509ca351b1b3fe1c306d7e8e2cc7d8873973ac25
Instruction ID: 10cc8a374531916fc86ecd7d20efeaa5c42161b284ad82483a3094043a7d9051
Opcode Fuzzy Hash: 498d76c88161d4a0b970fe8e509ca351b1b3fe1c306d7e8e2cc7d8873973ac25
Instruction Fuzzy Hash: 8D21A474600209ABEB209F39DC04A9A77F5FF46760F244619FEA0D76D4E7719970CB50

Function 008A6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008A6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008A6EBB
GetStdHandle.KERNEL32(000000F6), ref: 008A6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008A6F06

Strings

nul, xrefs: 008A6F01

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c6d8c00697046872a6af4f97f990b918bc6acb11af4d308d24d61acd231a19c6
Instruction ID: db97613ad7e94e168489b1cf35e57f0f2c399bf7d3ac97fcab95893bcdd87e50
Opcode Fuzzy Hash: c6d8c00697046872a6af4f97f990b918bc6acb11af4d308d24d61acd231a19c6
Instruction Fuzzy Hash: 06218179500305EBEB209F69D804A9AB7A8FF46724F380A19F9A0D76D4E77098708761

Function 008AAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008AAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008AACA8
__swprintf.LIBCMT ref: 008AACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,008CF910), ref: 008AACFF

Strings

%lu, xrefs: 008AACBB

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: dee840ec1081f5b15c803ea7712fb7f607867448aaa84e44c88fd1f9608fc7f7
Instruction ID: 870bbfa04497d30a8cff13ea4d15cdebe9689b574fa8d5d21ea729ebeae91a5b
Opcode Fuzzy Hash: dee840ec1081f5b15c803ea7712fb7f607867448aaa84e44c88fd1f9608fc7f7
Instruction Fuzzy Hash: 65216030A0010DAFDB10DF69C945DAE7BB8FF49714B004469F909EB352DB31EA41CB22

Function 008A1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A1B19

Strings

EXISTS, xrefs: 008A1B41
REMOVE, xrefs: 008A1B1F
KEYS, xrefs: 008A1B30
APPEND, xrefs: 008A1B52

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d29c6ebda95cdd9d4ec7431c0c07f06855e2241a92c71d9040746923e5b88c5a
Instruction ID: 55b1694c859ab9f79a3ca1e03d8d37dd212c7dd07c9e8f124de028bb76d507aa
Opcode Fuzzy Hash: d29c6ebda95cdd9d4ec7431c0c07f06855e2241a92c71d9040746923e5b88c5a
Instruction Fuzzy Hash: 5C117C709001188FCF00EFA8D8558BEB7B5FF26304F104465D964E76A2EB32590ACF50

Function 008BEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008BEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008BEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008BED6A
CloseHandle.KERNEL32(?), ref: 008BEDEB

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f04a7c8a926d66a98f9638ab005c16c5a347acf8a07e3a572047364f2a63bd45
Instruction ID: c5e5b8ad81b2382442d1d7388d76e42b5855be186759de863496342e1757b160
Opcode Fuzzy Hash: f04a7c8a926d66a98f9638ab005c16c5a347acf8a07e3a572047364f2a63bd45
Instruction Fuzzy Hash: 15812C716047109FD760EF2CC886B6AB7E5FF44720F14892DF999DB392D6B1AC408B92

Function 008C0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 008C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008BFDAD,?,?), ref: 008C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008C00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008C013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008C0183
RegCloseKey.ADVAPI32(?,?), ref: 008C01AF
RegCloseKey.ADVAPI32(00000000), ref: 008C01BC

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: b9a0cfeaca609ba0d616c2733fb3b2abc81b31f06bd07403b25ec7d496a67162
Instruction ID: 6e02fd3d2e1c235135368bb9e5becc2ccec2e10146e68fc266b270bd696f9166
Opcode Fuzzy Hash: b9a0cfeaca609ba0d616c2733fb3b2abc81b31f06bd07403b25ec7d496a67162
Instruction Fuzzy Hash: 24511771208208AFD714EB58C881F6AB7F9FF84754F44892DF595C72A2EB31E904CB52

Function 008BD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008BD927
GetProcAddress.KERNEL32(00000000,?), ref: 008BD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 008BD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 008BDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008BDA21

Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008A7896,?,?,00000000), ref: 00845A2C
Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008A7896,?,?,00000000,?,?), ref: 00845A50

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: d46df4dca2355ccb315de48567d19aa4efa20b823593e7d33cf5e58ceb64331f
Instruction ID: 33fad2077947842605c1f6c697a631550dcd9782199900fbc26a6d955e52a438
Opcode Fuzzy Hash: d46df4dca2355ccb315de48567d19aa4efa20b823593e7d33cf5e58ceb64331f
Instruction Fuzzy Hash: BB511635A00219EFCB11EFA8C4849ADBBF5FF09324B148066E959EB312E731AD45CF91

Function 008AE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008AE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008AE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008AE687

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008AE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008AE6B4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 21ba0e01dbac9da6aa0adfc9f8f29214bf9c4a4c9a44e5d0acdb123fac00485c
Instruction ID: 0188573f798bbf5e68e25f7afccc48cb6666bbac54f0a0bd33a5c380a361320e
Opcode Fuzzy Hash: 21ba0e01dbac9da6aa0adfc9f8f29214bf9c4a4c9a44e5d0acdb123fac00485c
Instruction Fuzzy Hash: B1511835A00109DFDB11EF68C981AAEBBF5FF49314B1484A9E949EB362CB31ED11CB51

Function 008CA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b854e73b2d3b8636c9e2b31301038af7be7950101795d1994efee96d236b230
Instruction ID: 2b10d5e3cb1ebcacec7993d49e6dc5bbdf9853c99931f4b0bc5eb6ba6aa7f18f
Opcode Fuzzy Hash: 4b854e73b2d3b8636c9e2b31301038af7be7950101795d1994efee96d236b230
Instruction Fuzzy Hash: C041023590410CAFD728CB28DC88FA9BBB9FB09318F19416AF916E72E1CB30DD40DA51

Function 008963AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008963E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00896433
TranslateMessage.USER32(?), ref: 0089645C
DispatchMessageW.USER32(?), ref: 00896466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00896475

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 3e722f454d56c754b9e7c6b10c2bf36094d4a3dba03dfc4cb5ce6a7cca10b574
Instruction ID: 7c5983f8f3dafee36cdcf64307d2d331d2cce072d65d1376a8c4163927e59150
Opcode Fuzzy Hash: 3e722f454d56c754b9e7c6b10c2bf36094d4a3dba03dfc4cb5ce6a7cca10b574
Instruction Fuzzy Hash: CC31DE31904606AFEF24AFB48C44FB77BBCFB00304F184165E821C21A1F73598A9EBA5

Function 00898A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00898A30
PostMessageW.USER32(?,00000201,00000001), ref: 00898ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00898AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00898AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00898AF8

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 824fb21f3b020742c5f526d6953ee5b59f1aa6ac6c366d709d1573e9e629e3aa
Instruction ID: caede88775f9c1bf124bca95ec75291111d239919c5fb97d9e5d704f84fa8c06
Opcode Fuzzy Hash: 824fb21f3b020742c5f526d6953ee5b59f1aa6ac6c366d709d1573e9e629e3aa
Instruction Fuzzy Hash: 8F31DF7150022AEFDF14DFA8DD4CA9E3BB6FB05325F14822AF925E62D1C7B09910DB91

Function 0089B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0089B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0089B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0089B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0089B27F
_wcsstr.LIBCMT ref: 0089B289

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 97412ad0cb1a82a1ea4df7b6ebf96091cb95f6e0f45779f258f3222a740dfb2c
Instruction ID: 23162dfbac01f0e9a4d4a1f80fb593f20b2b3801644dcefea4acbde476f83087
Opcode Fuzzy Hash: 97412ad0cb1a82a1ea4df7b6ebf96091cb95f6e0f45779f258f3222a740dfb2c
Instruction Fuzzy Hash: 832125312042047AEF156BB9AD09E7F7BA9FF49720F044139F804CA1A1EB71DC409660

Function 008CB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

GetWindowLongW.USER32(?,000000F0), ref: 008CB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 008CB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008CB1CF
GetSystemMetrics.USER32(00000004), ref: 008CB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,008B0E90,00000000), ref: 008CB216

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: cc518b5e8678806df0feef995b330232cec33959978d281e1eb0ae1010febc54
Instruction ID: 058c761f5359c762f05319b1b448465e02845d6e46f05ff0552a769e8cd80ecc
Opcode Fuzzy Hash: cc518b5e8678806df0feef995b330232cec33959978d281e1eb0ae1010febc54
Instruction Fuzzy Hash: AF217C71A24A65AFCB209F389C09F6A3BB5FB05325F154629BE22D71E0E730D8109B90

Function 00899307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00899320

Part of subcall function 00847BCC: _memmove.LIBCMT ref: 00847C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00899352
__itow.LIBCMT ref: 0089936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00899392
__itow.LIBCMT ref: 008993A3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 3e44712e7a258dbb55dda64088d8910190b13bdf1b52650a5913f2eef2829aba
Instruction ID: a51a9b723ea6a5caf4ee19f18b532de04fe0a35f9d3ab4ecd289f33d719e79cd
Opcode Fuzzy Hash: 3e44712e7a258dbb55dda64088d8910190b13bdf1b52650a5913f2eef2829aba
Instruction Fuzzy Hash: 9821C531700208ABDF10AE698C85EAE7BADFB58710F085029FE85D73D1E6B08D45A792

Function 008B5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008B5A6E
GetForegroundWindow.USER32 ref: 008B5A85
GetDC.USER32(00000000), ref: 008B5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 008B5ACD
ReleaseDC.USER32(00000000,00000003), ref: 008B5B08

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b1f7193a06636ec4ee8ad73c60d314c28fdb1c7115fa049f6e941828ce673faa
Instruction ID: 540e717720a21ed2a812ccbb6aeeb55141ae6ea66699c499e02cdf16c056854b
Opcode Fuzzy Hash: b1f7193a06636ec4ee8ad73c60d314c28fdb1c7115fa049f6e941828ce673faa
Instruction Fuzzy Hash: 85216F75A00118AFE714EF69D884E9ABBF5FF49310F148479F949D7362DA30AD00CB91

Function 008412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0084134D
SelectObject.GDI32(?,00000000), ref: 0084135C
BeginPath.GDI32(?), ref: 00841373
SelectObject.GDI32(?,00000000), ref: 0084139C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f8dcc0f8ff4223a954963dcdadb07d753927234b575a8a526ce0c558b2c12d61
Instruction ID: 83c89977ffdf5bf015af95d56990b731b0fb08d7ed762b2f4ace5ea17ae0ef6f
Opcode Fuzzy Hash: f8dcc0f8ff4223a954963dcdadb07d753927234b575a8a526ce0c558b2c12d61
Instruction Fuzzy Hash: 21213630814A0CEFDF11CF25EC48B6A7BA9FB00B65F198226EC14962B1D77499D1EF90

Function 0089BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0089BCB3
_memcmp.LIBCMT ref: 0089BCD1
_memcmp.LIBCMT ref: 0089BCE4
_memcmp.LIBCMT ref: 0089BCFC
_memcmp.LIBCMT ref: 0089BD14

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 199f6ec1e95c249c9b8ecc2b8628ce6c9180f1613a492253a218be85731685b5
Instruction ID: 2071f4132c97ad7c6686dc6c3893c1254ca80423d832e24ce90ce4382794c797
Opcode Fuzzy Hash: 199f6ec1e95c249c9b8ecc2b8628ce6c9180f1613a492253a218be85731685b5
Instruction Fuzzy Hash: 0E0169A26001096AEA047A15AE42FBBA35DFF6039CF0C4422FD15DB342EB64EE1082A5

Function 008A4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008A4ABA
__beginthreadex.LIBCMT ref: 008A4AD8
MessageBoxW.USER32(?,?,?,?), ref: 008A4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008A4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008A4B0A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 0b28d7da7ff4f013d554fd4543834f383c2f392a47cfed66d540cdd5ce8a29cd
Instruction ID: 6bb3f46f31cf221a97aa286e47bf45287f0c7d421ec986aabfae59bd6b2e1208
Opcode Fuzzy Hash: 0b28d7da7ff4f013d554fd4543834f383c2f392a47cfed66d540cdd5ce8a29cd
Instruction Fuzzy Hash: A8110876908618BFEB018FAC9C04E9B7FAEFB85320F154266F924D3351D6B1C9008BB0

Function 00898202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0089821E
GetLastError.KERNEL32(?,00897CE2,?,?,?), ref: 00898228
GetProcessHeap.KERNEL32(00000008,?,?,00897CE2,?,?,?), ref: 00898237
HeapAlloc.KERNEL32(00000000,?,00897CE2,?,?,?), ref: 0089823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00898255

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 84593695c236763e1baf482c64c47fc173958e64907ef404813fc3abb7763f37
Instruction ID: 288cbcbf7561b6758c0e8b6ed6c75b3bf6b246d2eb9ea67b22c49d41c4d5b7b8
Opcode Fuzzy Hash: 84593695c236763e1baf482c64c47fc173958e64907ef404813fc3abb7763f37
Instruction Fuzzy Hash: 79014671200605FFEB205FA6DC48D6B7FBEFF8A755B54042AF909C3220DA318C00DA60

Function 0089710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?,?,00897455), ref: 00897127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 00897150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?), ref: 00897160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00897044,80070057,?,?), ref: 0089716C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: faff347ef61719c37cbe6aa9a0666ca48c5ecefd6f6b1b11be54d2e16a92a86f
Instruction ID: 3fd85857b183b07460ed54e112fcc57b1ec339e45dd5b569ad46895d8a6d2a7d
Opcode Fuzzy Hash: faff347ef61719c37cbe6aa9a0666ca48c5ecefd6f6b1b11be54d2e16a92a86f
Instruction Fuzzy Hash: 13017C72621208BFEB115F64DC44EAA7BBEFB48792F180078FE04D2221E731DD419BA0

Function 008A5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008A526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008A5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 887d84ecf624827000a7c8cc3332931d62f663f117d5411908e65782e1729f5c
Instruction ID: 9298823a788b653f940ba1a6dd2641699f86e0e3325216209d53bd5b4e449365
Opcode Fuzzy Hash: 887d84ecf624827000a7c8cc3332931d62f663f117d5411908e65782e1729f5c
Instruction Fuzzy Hash: BF012931D01A1DDBEF00EFE4E849AEDBB79FB0A711F450156EA45F2642CB30959487A1

Function 0089810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00898121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0089812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0089813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00898141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00898157

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0d81165dbdc2924776375dcade0d330d480b7f33e7cad73b50a1cabcd1a38c03
Instruction ID: 81343c578fbffb72ac0094ba830b96d20d26ab122eccdf0fb887b885e295a929
Opcode Fuzzy Hash: 0d81165dbdc2924776375dcade0d330d480b7f33e7cad73b50a1cabcd1a38c03
Instruction Fuzzy Hash: 9AF04F71200305EFEB121FA5EC88E6B3BBDFF4AB54B040026FA45C6151CB719941DA60

Function 0089C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0089C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0089C20E
MessageBeep.USER32(00000000), ref: 0089C226
KillTimer.USER32(?,0000040A), ref: 0089C242
EndDialog.USER32(?,00000001), ref: 0089C25C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: fff42141d6541164c0cf8a88128a70d06cb41db7cd0cf9ee72ed4106ad7885e0
Instruction ID: dc2a28e794163f1229c92a3938b55bec73d840272d46e78c8c86441e263f17f6
Opcode Fuzzy Hash: fff42141d6541164c0cf8a88128a70d06cb41db7cd0cf9ee72ed4106ad7885e0
Instruction Fuzzy Hash: 5A01D630404308ABFF246BA4ED4EF9677B9FF10B06F044669F682E14E2DBF169449B90

Function 008413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008413BF
StrokeAndFillPath.GDI32(?,?,0087B888,00000000,?), ref: 008413DB
SelectObject.GDI32(?,00000000), ref: 008413EE
DeleteObject.GDI32 ref: 00841401
StrokePath.GDI32(?), ref: 0084141C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: acb05b5e5cb1c5d4f23932faefe3c7d0ff87f4855724a029bbb712a460e655a5
Instruction ID: af084accf5813947c752398922598bd98ee09303c1969016d2a7fb307a85c6e4
Opcode Fuzzy Hash: acb05b5e5cb1c5d4f23932faefe3c7d0ff87f4855724a029bbb712a460e655a5
Instruction Fuzzy Hash: 70F0F630018B08EFEB115F66EC4CB593BA6F700B26F09C224ED69880B2C7348995EF10

Function 00852CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00860DB6: std::exception::exception.LIBCMT ref: 00860DEC
Part of subcall function 00860DB6: __CxxThrowException@8.LIBCMT ref: 00860E01

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 00847A51: _memmove.LIBCMT ref: 00847AAB

__swprintf.LIBCMT ref: 00852ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00852D66

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 87923056f399c0ab4ea280d3c3768e82eb0b9189956c9f7d53e9cc195cee966b
Instruction ID: 073da85e2b2e99883485a91004a3786fc2073629639cf33176d7e4b2e35f4602
Opcode Fuzzy Hash: 87923056f399c0ab4ea280d3c3768e82eb0b9189956c9f7d53e9cc195cee966b
Instruction Fuzzy Hash: 39917A711082159FC714EF28C886C6FBBA9FF95724F00091DF895DB2A2EB20ED48CB52

Function 008AB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00844750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00844743,?,?,008437AE,?), ref: 00844770

CoInitialize.OLE32(00000000), ref: 008AB9BB
CoCreateInstance.OLE32(008D2D6C,00000000,00000001,008D2BDC,?), ref: 008AB9D4
CoUninitialize.OLE32 ref: 008AB9F1

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

Strings

.lnk, xrefs: 008AB99D, 008AB9AB

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 90fd08fea68ce299543f391817acb1544eb5dbcda1e670cbd70b4b84000e501c
Instruction ID: de40d836ee4a12c8f0a64ab32d06da9079427e8910a287ccf7eb664bfc350351
Opcode Fuzzy Hash: 90fd08fea68ce299543f391817acb1544eb5dbcda1e670cbd70b4b84000e501c
Instruction Fuzzy Hash: 2EA135756042059FDB10DF18C484D6ABBE5FF8A324F048959F89ADB362CB31EC46CB92

Function 0086501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008650AD

Part of subcall function 008700F0: __87except.LIBCMT ref: 0087012B

Strings

pow, xrefs: 00865085, 008650A2

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1e44dab39b2b570542bbd3b6ba61cb59c65195c4489fc117a61389940cd21bcc
Instruction ID: 9d5f715d95b2ae03ad7b61cfebb16c6b254ec230713211da4cc92932206929da
Opcode Fuzzy Hash: 1e44dab39b2b570542bbd3b6ba61cb59c65195c4489fc117a61389940cd21bcc
Instruction Fuzzy Hash: 4051592191CA06D6DB12B728C95137E3B94FB41714F24CA5AE4D9C62AEEF34CDC49E83

Function 00856192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00856248
_memmove.LIBCMT ref: 008562E4
_memset.LIBCMT ref: 00856308

Strings

ERCP, xrefs: 008561B3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: ad33bada139cc6c7b7d1f8b7f8b9a6cbecdd1b7054b7ccdbd2917b9bdd665c2b
Instruction ID: 6338ab6d62264243af7f6644cce02a45ecbd0b520189080d34237b36f91a7ee6
Opcode Fuzzy Hash: ad33bada139cc6c7b7d1f8b7f8b9a6cbecdd1b7054b7ccdbd2917b9bdd665c2b
Instruction Fuzzy Hash: B751BF70900709DFDB24DFA5C881BAAB7E4FF04315F64456EE94ACB251E770AA58CB40

Function 008997F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00899296,?,?,00000034,00000800,?,00000034), ref: 008A14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0089983F

Part of subcall function 008A1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008A14B1

Part of subcall function 008A13DE: GetWindowThreadProcessId.USER32(?,?), ref: 008A1409
Part of subcall function 008A13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0089925A,00000034,?,?,00001004,00000000,00000000), ref: 008A1419
Part of subcall function 008A13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0089925A,00000034,?,?,00001004,00000000,00000000), ref: 008A142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008998AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008998F9

Strings

@, xrefs: 00899911

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 36cd2b2a5a2e6cdbc53fe937c238ac5f6f1d33655dbf025c80442f72f06cd3dd
Instruction ID: 19158e84bbd303906f8938f43ea6405539220ad928f9dc93ece6146ab48cf640
Opcode Fuzzy Hash: 36cd2b2a5a2e6cdbc53fe937c238ac5f6f1d33655dbf025c80442f72f06cd3dd
Instruction Fuzzy Hash: DF415076901118AFDF10DFA8CC45EDEBBB8FB09300F044059FA85B7541DA706E45CBA1

Function 008C7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008CF910,00000000,?,?,?,?), ref: 008C79DF
GetWindowLongW.USER32 ref: 008C79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008C7A0C

Strings

SysTreeView32, xrefs: 008C79B1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: bcf425b81f194a4929742561dca18a810b252840712ac0d9221502273977dce4
Instruction ID: e99a4a455047e942e2b917c2bc0da54500f698d962725b840163ed44e1c669c1
Opcode Fuzzy Hash: bcf425b81f194a4929742561dca18a810b252840712ac0d9221502273977dce4
Instruction Fuzzy Hash: 3431AD3120460AABEB118E38CC45FEA7BB9FB05324F208729F975E22E1D735E9559B50

Function 008C73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008C7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008C7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 008C7499

Strings

SysMonthCal32, xrefs: 008C742C

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4d686e25cbd248e9608947bf573ee038db134c55c5f00fbc4004832e9518acd2
Instruction ID: 5328e4d1b754f6ca3c14fdf2f7dc4e394659ff25955fd7fc35de9f9aca4866c6
Opcode Fuzzy Hash: 4d686e25cbd248e9608947bf573ee038db134c55c5f00fbc4004832e9518acd2
Instruction Fuzzy Hash: 18219132500218ABDF158F64CC46FEA3B7AFB48724F110218FE55AB190DA75EC91DBA0

Function 008C7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008C7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008C7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008C7C5F

Strings

msctls_updown32, xrefs: 008C7BC4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6b300c6dc04a369ba8c9596cdfc7eae6dd1ea2ac0024cb6636242e3a36fa502a
Instruction ID: d5d904e758838101db619fe3d154c938b8609150a4ae5cb1eb5aaeaceff61dbc
Opcode Fuzzy Hash: 6b300c6dc04a369ba8c9596cdfc7eae6dd1ea2ac0024cb6636242e3a36fa502a
Instruction Fuzzy Hash: D0216BB1604209AFEB10DF28DCC1EA737FDFB59364B154059FA05DB3A1CA31EC519A60

Function 008C6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008C6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008C6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008C6D70

Strings

Listbox, xrefs: 008C6D08

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4a3e2cc5a743becd8c6eb8608eba0e69c2f5ca235ab7d6a97c2c9aae690d5455
Instruction ID: 0ebc9638ff9cbd2bee74090aff7b64f429990937ae34e3040c3c709002127974
Opcode Fuzzy Hash: 4a3e2cc5a743becd8c6eb8608eba0e69c2f5ca235ab7d6a97c2c9aae690d5455
Instruction Fuzzy Hash: 5E216D32610118ABEB118F54DC45FAB3BBAFB89760F018138FA459B1A0D671DC619BA0

Function 008C770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008C7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008C7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008C7794

Strings

msctls_trackbar32, xrefs: 008C7749

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 10c2767d421fc7f025d36b10405cfec9c4c488c5513f1018475b923d0ff9769b
Instruction ID: 4246e2d0d47f3d50b438a697a22173d8508275946b634d0862225608fb4cb26a
Opcode Fuzzy Hash: 10c2767d421fc7f025d36b10405cfec9c4c488c5513f1018475b923d0ff9769b
Instruction Fuzzy Hash: F911C17224420CBAEF245F65CC05FAB7BB9FF88B64F11422CFA55E6190D672E851DB20

Function 00844C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00844BD0,?,00844DEF,?,009052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00844C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00844C23

Strings

kernel32.dll, xrefs: 00844C0C
Wow64DisableWow64FsRedirection, xrefs: 00844C1D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 9fb9fb203222cc33632530faf8a2989f8b78f90cf52fe9262f7a6e1af50d4d6e
Instruction ID: 27d6630152631668fa166fbe3a3e58414e0a8bb1ae5cf6b69668f75b17e9f6d6
Opcode Fuzzy Hash: 9fb9fb203222cc33632530faf8a2989f8b78f90cf52fe9262f7a6e1af50d4d6e
Instruction Fuzzy Hash: 78D01234911717CFE7205F71D948B06BAE6FF09351B19CC3E9596D6251E7B4D880C650

Function 00844C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00844B83,?), ref: 00844C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00844C56

Strings

kernel32.dll, xrefs: 00844C3F
Wow64RevertWow64FsRedirection, xrefs: 00844C50

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: cba410c41cd5e191fffe9138f2a62ced8071fc7e33a1a22df151f59e47f7db02
Instruction ID: d40b5ce287f058daba80167a575e62e3a212c721b37365f8eba268ce03885204
Opcode Fuzzy Hash: cba410c41cd5e191fffe9138f2a62ced8071fc7e33a1a22df151f59e47f7db02
Instruction Fuzzy Hash: 54D01730510727CFE7209F31D948B1AB6E6FF15351B19C83EA6A6D6261E774D880CA50

Function 008C0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,008C1039), ref: 008C0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008C0E07

Strings

RegDeleteKeyExW, xrefs: 008C0E01
advapi32.dll, xrefs: 008C0DF0

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 08fc70de52f7b7b6b53fefda63e3d930e101e1087cfe0c63dac945ffe054c4f6
Instruction ID: 9ca19e34dc9ef1d0177de961e404901a8d0da82d54bd83d8f26b5049286237ff
Opcode Fuzzy Hash: 08fc70de52f7b7b6b53fefda63e3d930e101e1087cfe0c63dac945ffe054c4f6
Instruction Fuzzy Hash: 7FD08230440326CFE3218F70C808B8272E6FF08392F048C2ED692C6252E6B4D8908A00

Function 008B90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,008B8CF4,?,008CF910), ref: 008B90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008B9100

Strings

GetModuleHandleExW, xrefs: 008B90FA
kernel32.dll, xrefs: 008B90E9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 473d5fd5fcf7f754af5df89fe27f53a862d58e497ccb04ede285fe64c0108e32
Instruction ID: 13f7aedd473790e3e6fe15e2dd42aaa8e5f18c39f3fb716c66eb93d531487f46
Opcode Fuzzy Hash: 473d5fd5fcf7f754af5df89fe27f53a862d58e497ccb04ede285fe64c0108e32
Instruction Fuzzy Hash: E0D01235510713CFE7209F35D818A4676E5FF05351B15C87ED6D6D6761EB78C880CA50

Function 00881714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00881718
__swprintf.LIBCMT ref: 00881749

Strings

%.3d, xrefs: 00881723
WIN_XPe, xrefs: 00881788

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 63ff7dbb91b56eddaeadd9065c0315c01bacbc4c4755c892bda90f485d0c26de
Instruction ID: 41561fc35c093be645e9b135ddc99017c79158aaed79591e8386725d9b600912
Opcode Fuzzy Hash: 63ff7dbb91b56eddaeadd9065c0315c01bacbc4c4755c892bda90f485d0c26de
Instruction Fuzzy Hash: BFD0177184610DEACF50BB90988CCB9737CFB18309F10086AF606E2094EA358B96EB21

Function 0089717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6277d6523c26ff82a94c21541e85d5f1dadb71dda4d11ff68c472d6930086c
Instruction ID: 42f166c0a9b7fa125089676559c60f263aa4a3e8712ca4f8a032c9dd49c2a6ef
Opcode Fuzzy Hash: ba6277d6523c26ff82a94c21541e85d5f1dadb71dda4d11ff68c472d6930086c
Instruction Fuzzy Hash: E4C14E74A1421AEFCF14DFA4C884EAEBBB5FF48714B198598E805EB251D730ED81DB90

Function 008BE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008BE0BE
CharLowerBuffW.USER32(?,?), ref: 008BE101

Part of subcall function 008BD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008BD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 008BE301
_memmove.LIBCMT ref: 008BE314

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: e38e0018d53e96173db930a98fd4ad34043be3579ae787b824968b2f3f5fde6b
Instruction ID: b09e0678b1fde8a790b094144c3c9aa07e5dabc84985b3497a62e1bc4f0bc0cd
Opcode Fuzzy Hash: e38e0018d53e96173db930a98fd4ad34043be3579ae787b824968b2f3f5fde6b
Instruction Fuzzy Hash: 48C106716083059FC714DF28C480AAABBE4FF89714F14896EF999DB352D731E946CB82

Function 008B8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008B80C3
CoUninitialize.OLE32 ref: 008B80CE

Part of subcall function 0089D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0089D5D4

VariantInit.OLEAUT32(?), ref: 008B80D9
VariantClear.OLEAUT32(?), ref: 008B83AA

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 976968d7ae89a798e8192aa2fb78b71b55a5bbd34ca8fd901e850aa46f27c92d
Instruction ID: efae275a2d8ca0a4e2a2bcc68d3bc10449507b0aa3b98ee77a758749aa2c48ca
Opcode Fuzzy Hash: 976968d7ae89a798e8192aa2fb78b71b55a5bbd34ca8fd901e850aa46f27c92d
Instruction Fuzzy Hash: B3A125756047059FDB20DF18C881A6AB7E8FF89754F044459F99ADB3A2CB30ED05CB86

Function 00897530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008D2C7C,?), ref: 008976EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008D2C7C,?), ref: 00897702
CLSIDFromProgID.OLE32(?,?,00000000,008CFB80,000000FF,?,00000000,00000800,00000000,?,008D2C7C,?), ref: 00897727
_memcmp.LIBCMT ref: 00897748

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4a8088f65c79fbc0acbe95fad55848a6b834f9800e014e1ee45e106829f6b33a
Instruction ID: fcd90dfbdb857ee170c03ea0a6c1619e9ef35a0330bf681e33e9d6efff8c4732
Opcode Fuzzy Hash: 4a8088f65c79fbc0acbe95fad55848a6b834f9800e014e1ee45e106829f6b33a
Instruction Fuzzy Hash: 9281F775A10109EFCF04DFA8C984EEEB7B9FF89315B244558E506EB250DB71AE06CB60

Function 0089687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0089688E
SysAllocString.OLEAUT32(00000000), ref: 00896937
VariantCopy.OLEAUT32 ref: 00896966
VariantClear.OLEAUT32(?), ref: 0089698D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: ea74000435be4dfa055cb1c18f9f3ea7bfe55a0052bc323e66c9a4c317866651
Instruction ID: d8206e2e80cb9d0d3d7e783b41d2c3652452f74d0e50e2958a9e5c751fe9c211
Opcode Fuzzy Hash: ea74000435be4dfa055cb1c18f9f3ea7bfe55a0052bc323e66c9a4c317866651
Instruction Fuzzy Hash: AB51A0746003059ADF24BF69D891A2EB7E6FF45314F28C81FE596EB291FB34D8608706

Function 008C97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F3EBC8,?), ref: 008C9863
ScreenToClient.USER32(00000002,00000002), ref: 008C9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 008C9903

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ad39ac13a2b719d9938a7ec73abe86fdc4089414bcdc2e8c5c0cb71621e2fc49
Instruction ID: 23d489b39893b53807632b269ea2f884690310756f2077c1cf1f6c819aab50a6
Opcode Fuzzy Hash: ad39ac13a2b719d9938a7ec73abe86fdc4089414bcdc2e8c5c0cb71621e2fc49
Instruction Fuzzy Hash: F751FA34A00609AFDB10CF58C888EAE7BB6FB55360F1481ADF995DB2A0D731ED41DB90

Function 00899A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00899AD2
__itow.LIBCMT ref: 00899B03

Part of subcall function 00899D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00899DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00899B6C
__itow.LIBCMT ref: 00899BC3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 0501d82efab7092638caad9974f54ed49e5ecb2cd2e8e9820c4c39ffbf24cb95
Instruction ID: 33dcceae7169c873a1bf440bd458fb05ef4198fed52e588349c5c801ed1ff1c0
Opcode Fuzzy Hash: 0501d82efab7092638caad9974f54ed49e5ecb2cd2e8e9820c4c39ffbf24cb95
Instruction Fuzzy Hash: 45413D74A0021CABDF11EF68D885BAE7FB9FF44724F040069F945E6291DB749A44CBA2

Function 008B69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008B69D1
WSAGetLastError.WSOCK32(00000000), ref: 008B69E1

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008B6A45
WSAGetLastError.WSOCK32(00000000), ref: 008B6A51

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: c10d28d3c90f164cdb24b8cf6852d795791030320715578a3bb7d77b1d1a73d0
Instruction ID: 304ab9bd7d1dfa772d1d9699c722df2c8c4c577d73581caa464a7e7f88b5458a
Opcode Fuzzy Hash: c10d28d3c90f164cdb24b8cf6852d795791030320715578a3bb7d77b1d1a73d0
Instruction Fuzzy Hash: BB418F75640214AFEB60BF28CC86F6A77A5FF04B14F048428FA59EB3D3DA749D108792

Function 008B641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,008CF910), ref: 008B64A7
_strlen.LIBCMT ref: 008B64D9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e9bdceb7ea1dcdae41b3af3730f1ff159bee4465299972f34d5e532619796acd
Instruction ID: 240ac6227a167fda89d09630d1f845ad8b0a61bfd803c3b6193658df6bfdb3da
Opcode Fuzzy Hash: e9bdceb7ea1dcdae41b3af3730f1ff159bee4465299972f34d5e532619796acd
Instruction Fuzzy Hash: EC418231500118ABCB24EBA8DC85FEEB7A9FF44310F148155F919D7392EB34AD24CB52

Function 008AB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008AB89E
GetLastError.KERNEL32(?,00000000), ref: 008AB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008AB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008AB915

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 84da09d52ea07656e26393a2e82e441b063aa99b361b2e8d2ae0c145095a0183
Instruction ID: 23b64d88758e497bcc7c97cf52a188bc4cb75b02fc942228b6b1b50da85e9460
Opcode Fuzzy Hash: 84da09d52ea07656e26393a2e82e441b063aa99b361b2e8d2ae0c145095a0183
Instruction Fuzzy Hash: A5410C35600514DFDB21DF19C445A5ABBE1FF8A310F198099ED8A9B762CB35FD01CB92

Function 008C8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008C88DE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: cd3c15d1f509b1dcb48fb68f1bc8ab2296000cf29833a1151397290df4de31fc
Instruction ID: 89ad2e5622923f24c4d28145e32fb9c0b10f913fc8bbbc9b56efdbaec29eaa26
Opcode Fuzzy Hash: cd3c15d1f509b1dcb48fb68f1bc8ab2296000cf29833a1151397290df4de31fc
Instruction Fuzzy Hash: 6531B034684108EFEB209A68DC45FB97BB5FB09310F94412AFA11E76A1CF70E9849B52

Function 008CAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008CAB60
GetWindowRect.USER32(?,?), ref: 008CABD6
PtInRect.USER32(?,?,008CC014), ref: 008CABE6
MessageBeep.USER32(00000000), ref: 008CAC57

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7c87e7f147607bcd8916007352fe4dda094b4f5f8bfb13fded337b8ad957b9a1
Instruction ID: e6f05fb8b7e1f23638039fce4d2bbb36a459d2a63f5c18005ea145c2938df079
Opcode Fuzzy Hash: 7c87e7f147607bcd8916007352fe4dda094b4f5f8bfb13fded337b8ad957b9a1
Instruction Fuzzy Hash: DC417930A0021D9FCB19DF58D884FA9BBF6FB49318F1881A9E914DB261D730E841DF92

Function 008761C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008761FB
__isleadbyte_l.LIBCMT ref: 00876229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00876257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0087628D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d284a38484fb7acc4f1230a409ef08f819524be9b61230e2df41b1e1562a6ca6
Instruction ID: 959cbf447d30228c761629fba79d85911d4ae1ca4d363cf80d490f4ac96c7d45
Opcode Fuzzy Hash: d284a38484fb7acc4f1230a409ef08f819524be9b61230e2df41b1e1562a6ca6
Instruction Fuzzy Hash: FE31C130600A46EFDF219F65CC48BAA7BB9FF42310F158029E828D71A6E731D960DB50

Function 008C4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008C4F02

Part of subcall function 008A3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008A365B
Part of subcall function 008A3641: GetCurrentThreadId.KERNEL32 ref: 008A3662
Part of subcall function 008A3641: AttachThreadInput.USER32(00000000,?,008A5005), ref: 008A3669

GetCaretPos.USER32(?), ref: 008C4F13
ClientToScreen.USER32(00000000,?), ref: 008C4F4E
GetForegroundWindow.USER32 ref: 008C4F54

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 1c687e7ddce520747e670d85ef032704beeb9ab87ed20fefe1aaf059157c5846
Instruction ID: 0b8631798b355d1848493696500499a8bc94d22de70b078d530187296d9aa6ee
Opcode Fuzzy Hash: 1c687e7ddce520747e670d85ef032704beeb9ab87ed20fefe1aaf059157c5846
Instruction Fuzzy Hash: ED313C71D00108AFDB10EFA9C885DEFB7F9FF99300F10406AE555E7201EA759E458BA1

Function 008A3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008A3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 008A3C88
Process32NextW.KERNEL32(00000000,?), ref: 008A3CA8
CloseHandle.KERNEL32(00000000), ref: 008A3D52

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c0644901ca046e11c0f235b4cebb2ca9faa751d46bc4ac6a6ca535a1ab0d037f
Instruction ID: 60990fd6a3348fd7ee6374defcc964c962038be48950a6b87b581c4f76fedeb6
Opcode Fuzzy Hash: c0644901ca046e11c0f235b4cebb2ca9faa751d46bc4ac6a6ca535a1ab0d037f
Instruction Fuzzy Hash: 67316F71108349DFE301EF64D885AAEBBE8FF95354F50082DF582C61A2EB719A49CB53

Function 008CC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

GetCursorPos.USER32(?), ref: 008CC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0087B9AB,?,?,?,?,?), ref: 008CC4E7
GetCursorPos.USER32(?), ref: 008CC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0087B9AB,?,?,?), ref: 008CC56E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 288b71c9f1062d8cb3314ea5f04135af0d902259400b974264b5b1a6aed1c70f
Instruction ID: b80a8a9d31446f0ce34bb402fee5d8eec12d544a28aff19527520e8a162f6d82
Opcode Fuzzy Hash: 288b71c9f1062d8cb3314ea5f04135af0d902259400b974264b5b1a6aed1c70f
Instruction Fuzzy Hash: D4315E35600458AFDB25CF58C858EAA7BBAFB49310F444169FA09CB2A1C731ED51DFA4

Function 00898656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0089810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00898121
Part of subcall function 0089810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0089812B
Part of subcall function 0089810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0089813A
Part of subcall function 0089810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00898141
Part of subcall function 0089810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00898157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008986A3
_memcmp.LIBCMT ref: 008986C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008986FC
HeapFree.KERNEL32(00000000), ref: 00898703

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b749b76ff1e6f195331665738ec159a50aabbb6a2a576f1921148dd1bfead475
Instruction ID: e73af90424cee73102b0f7af4d644ef200be0d42b857c1a8edc449eced58ffba
Opcode Fuzzy Hash: b749b76ff1e6f195331665738ec159a50aabbb6a2a576f1921148dd1bfead475
Instruction Fuzzy Hash: 64215772E4010AEBDF11EFA8C949BAEB7B9FF56304F194059E444AB241DB31AE05CB90

Function 0086098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 008609AE

Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008A7896,?,?,00000000), ref: 00845A2C
Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008A7896,?,?,00000000,?,?), ref: 00845A50

_fprintf.LIBCMT ref: 008609E5
OutputDebugStringW.KERNEL32(?), ref: 00895DBB

Part of subcall function 00864AAA: _flsall.LIBCMT ref: 00864AC3

__setmode.LIBCMT ref: 00860A1A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: d39b011a70273db423ae26074556270b8990b9e5c63bcfe27faeed20fc4513ce
Instruction ID: 04210c27a16eeba7c22a41c900543c75337851aa99e5671e40f82548476693a1
Opcode Fuzzy Hash: d39b011a70273db423ae26074556270b8990b9e5c63bcfe27faeed20fc4513ce
Instruction Fuzzy Hash: 3D1127315042087FDB04B6BCAC469BE7B69FF46320F250166F205D7183EE20484257A6

Function 008B1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008B17A3

Part of subcall function 008B182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008B184C
Part of subcall function 008B182D: InternetCloseHandle.WININET(00000000), ref: 008B18E9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 19d83082a4f4b889d2e110986477c1d95c4c3cc6fb30b3f1976b26a3183ba8f6
Instruction ID: 89129afc6d310b228dd9086291e38628076858b50b9235b97c1737ddeb90f940
Opcode Fuzzy Hash: 19d83082a4f4b889d2e110986477c1d95c4c3cc6fb30b3f1976b26a3183ba8f6
Instruction Fuzzy Hash: 5121FF32200605BFEF129F608C18FFABBAAFF48701F10402AFA11DA751DB31982097A5

Function 008A3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008CFAC0), ref: 008A3A64
GetLastError.KERNEL32 ref: 008A3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 008A3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008CFAC0), ref: 008A3ADF

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 31c3adc27ec3b9029f8659a9dd96ea3113e05c121788398cc697d97bc7773fcf
Instruction ID: 3fa49b173df937eb6503b9836d025b79f8c944b168ec9c7565280ce164e60c24
Opcode Fuzzy Hash: 31c3adc27ec3b9029f8659a9dd96ea3113e05c121788398cc697d97bc7773fcf
Instruction Fuzzy Hash: 0B2186745086259F9310DF28D88186ABBF4FF56368F104A1DF499C72A2D731EE46CB53

Function 0089DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0089F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0089DCD3,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?), ref: 0089F0CB
Part of subcall function 0089F0BC: lstrcpyW.KERNEL32(00000000,?,?,0089DCD3,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089F0F1
Part of subcall function 0089F0BC: lstrcmpiW.KERNEL32(00000000,?,0089DCD3,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?), ref: 0089F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089DCEC
lstrcpyW.KERNEL32(00000000,?,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,0089EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0089DD46

Strings

cdecl, xrefs: 0089DD3D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2f3c68e41ffd88fea70e7eb6840532f6edc851c584a4f81d281bd98a7ffbf53c
Instruction ID: 0c6a7201db024cac782f2d46261c85d0132da561102c6b6008094e168c8052fd
Opcode Fuzzy Hash: 2f3c68e41ffd88fea70e7eb6840532f6edc851c584a4f81d281bd98a7ffbf53c
Instruction Fuzzy Hash: 9E11BE7A200305EFDF25AF34C845D7A77A9FF45350B44812AF906CB2A1EB719841CBA9

Function 008750E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00875101

Part of subcall function 0086571C: __FF_MSGBANNER.LIBCMT ref: 00865733
Part of subcall function 0086571C: __NMSG_WRITE.LIBCMT ref: 0086573A
Part of subcall function 0086571C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000000,?,?,?,00860DD3,?), ref: 0086575F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1681abbc0494e00edb3ece38f3713943a11e5a1a2a83c9fbdf6fecc89db97a7d
Instruction ID: cfd2d5c3714177773d595495299dedafc54fd02c1a86af3afd3a89c8c4dfef49
Opcode Fuzzy Hash: 1681abbc0494e00edb3ece38f3713943a11e5a1a2a83c9fbdf6fecc89db97a7d
Instruction Fuzzy Hash: D9110672504A19AFDB316F78BC45B6D3B98FF00372F518629F90CD6255DEB0C94097A1

Function 008444A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008444CF

Part of subcall function 0084407C: _memset.LIBCMT ref: 008440FC
Part of subcall function 0084407C: _wcscpy.LIBCMT ref: 00844150
Part of subcall function 0084407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00844160

KillTimer.USER32(?,00000001,?,?), ref: 00844524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00844533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0087D4B9

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c74be689bc84af3668fba76b35e253cb9abebf474c29d6221550a7a0c3c3fd6b
Instruction ID: b05d9f0c12cf55fe9ea89600ecdbf9abe6bf28e1bc602c2a333091f56db4fb8e
Opcode Fuzzy Hash: c74be689bc84af3668fba76b35e253cb9abebf474c29d6221550a7a0c3c3fd6b
Instruction Fuzzy Hash: BD21D070904788AFEB328B24D845BE6BBFCFF01318F04409EE79E96182C3746A84DB45

Function 008B6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008A7896,?,?,00000000), ref: 00845A2C
Part of subcall function 00845A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008A7896,?,?,00000000,?,?), ref: 00845A50

gethostbyname.WSOCK32(?,?,?), ref: 008B6399
WSAGetLastError.WSOCK32(00000000), ref: 008B63A4
_memmove.LIBCMT ref: 008B63D1
inet_ntoa.WSOCK32(?), ref: 008B63DC

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 4be58f71c06d7bcad9d6600541920147168554b4ec45f5c94ff84581f56110b2
Instruction ID: 41a0481c164c863c19e2ab47069a5951fb15f0c2e8cd9795174ac2bcbad61468
Opcode Fuzzy Hash: 4be58f71c06d7bcad9d6600541920147168554b4ec45f5c94ff84581f56110b2
Instruction Fuzzy Hash: 66111C31500109AFCB04FBA8D946DEEBBB9FF58310B544065F506E7262EB31AE14DB62

Function 00898B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00898B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00898B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00898B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00898BA4

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 19b0b8511041b93d6bedfaf2445caf1859f6494bdde466c1fb02e8afd43575ff
Instruction ID: 7684cca2b821a642dc434ec850c0786d4f926e02f2683e7ab7047f534545b9da
Opcode Fuzzy Hash: 19b0b8511041b93d6bedfaf2445caf1859f6494bdde466c1fb02e8afd43575ff
Instruction Fuzzy Hash: F1113A79900219FFEF10DB95CC84E9DBBB4FB48310F244095EA00B7250DA716E10DB94

Function 00841290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00842612: GetWindowLongW.USER32(?,000000EB), ref: 00842623

DefDlgProcW.USER32(?,00000020,?), ref: 008412D8
GetClientRect.USER32(?,?), ref: 0087B5FB
GetCursorPos.USER32(?), ref: 0087B605
ScreenToClient.USER32(?,?), ref: 0087B610

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8106866697d7e0b5b90a68ac06bde535c636fb922b7e006b265f045dfd880e77
Instruction ID: 1455eee153a95c400dc41e7517f3b4dcece514dc1b4b94d981d18ccfd8944767
Opcode Fuzzy Hash: 8106866697d7e0b5b90a68ac06bde535c636fb922b7e006b265f045dfd880e77
Instruction Fuzzy Hash: 10112235A0012DEFDF10EFA8D889DEE77B9FB05300F404466FA01E7241D770AA919BA6

Function 008A1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0089FCED,?,008A0D40,?,00008000), ref: 008A11C1

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d8f622e89ef275b7b757074e70fb2e5c7c5b90406dc54e3a5a813c5ef49e5003
Instruction ID: e7391c0a5797f6980944ca50ee9b1d001404e6911528778aeb1432368f2305a4
Opcode Fuzzy Hash: d8f622e89ef275b7b757074e70fb2e5c7c5b90406dc54e3a5a813c5ef49e5003
Instruction Fuzzy Hash: 37113C35D0051DDBEF009FA5D848AEEBBB9FF0A711F055056EB81F2241CB709560CB95

Function 0089D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0089D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0089D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0089D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0089D897

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 16b656f7833295f69b2241863046bd7699a42115365080639012ecacf8d2684b
Instruction ID: 2f5d3acc668a47aa9831a77c0701049002ffbb748ccee3d58930736be65453c0
Opcode Fuzzy Hash: 16b656f7833295f69b2241863046bd7699a42115365080639012ecacf8d2684b
Instruction Fuzzy Hash: 4111A571601305DBF7209F90DC09F93BBBCFF00700F148979AA15E6042D7B0E5099BA5

Function 00876FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00876FDB

Part of subcall function 008776C2: __fltout2.LIBCMT ref: 008776EB

__cftog_l.LIBCMT ref: 00877001
__cftoe_l.LIBCMT ref: 00877033

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3b4743aa0c2a11dfade16a0c34d67e1df784f4a9038f820bf15906229a074527
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 2A014E7244454EBBCF165F88CC41CED3F62FB18354B588415FA1C99035D236D9B1EB81

Function 008CB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008CB2E4
ScreenToClient.USER32(?,?), ref: 008CB2FC
ScreenToClient.USER32(?,?), ref: 008CB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008CB33B

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 89342ac7f8a0dde8ff0d8a6ab1817bfe513c3c4db7990d3ced58d5a2ec3dc065
Instruction ID: 14cb27b608869830d70f05c5686c29115f271a62ae8a22bf60343cf2c2f7cf03
Opcode Fuzzy Hash: 89342ac7f8a0dde8ff0d8a6ab1817bfe513c3c4db7990d3ced58d5a2ec3dc065
Instruction Fuzzy Hash: D31143B9D00649EFDB41CFA9C884EEEBBF9FB18310F108166E914E3220D735AA559F50

Function 008CB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008CB644
_memset.LIBCMT ref: 008CB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00906F20,00906F64), ref: 008CB682
CloseHandle.KERNEL32 ref: 008CB694

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1436bc0c107583539abc9d067f739b7201ceba5238934521397c4009c7150fc5
Instruction ID: 0132151b2d8a2416ea74807e5342bb96ff66fc3046f722ab86b9268af647b297
Opcode Fuzzy Hash: 1436bc0c107583539abc9d067f739b7201ceba5238934521397c4009c7150fc5
Instruction Fuzzy Hash: 45F0FEB25543067EF2102765BC06FBB7A9CFB09795F404021BB08E5192DB755C2097A9

Function 008A6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008A6BE6

Part of subcall function 008A76C4: _memset.LIBCMT ref: 008A76F9

_memmove.LIBCMT ref: 008A6C09
_memset.LIBCMT ref: 008A6C16
LeaveCriticalSection.KERNEL32(?), ref: 008A6C26

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: a2a9ef78f810501fd056caf82ee167b76fb076716bbd57bf524379452bbc0074
Instruction ID: 2749ed8fa8ca5c595d24ad03804f669b89278ab13d65ee1aeb779cab6196a9a2
Opcode Fuzzy Hash: a2a9ef78f810501fd056caf82ee167b76fb076716bbd57bf524379452bbc0074
Instruction Fuzzy Hash: 56F0543A100100ABDF016F59DC85E4ABB2AFF45361F048061FE089E227C731E811DBB5

Function 00842218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00842231
SetTextColor.GDI32(?,000000FF), ref: 0084223B
SetBkMode.GDI32(?,00000001), ref: 00842250
GetStockObject.GDI32(00000005), ref: 00842258
GetWindowDC.USER32(?,00000000), ref: 0087BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0087BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0087BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0087BEC2
GetPixel.GDI32(00000000,?,?), ref: 0087BEE2
ReleaseDC.USER32(?,00000000), ref: 0087BEED

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c81a80de8fdc24fdbc112808442d4c1e545540ef7bd5ccd4401abc28cbcab6c6
Instruction ID: cb3ec2724169d0ebdd5e625930d659908cdf18aac52b937ee6ebbf029edec82c
Opcode Fuzzy Hash: c81a80de8fdc24fdbc112808442d4c1e545540ef7bd5ccd4401abc28cbcab6c6
Instruction Fuzzy Hash: AFE03932104244AAEB225F64EC0DBD83B22FB05332F148366FB69880E687B18980DB12

Function 00898712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0089871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,008982E6), ref: 00898722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008982E6), ref: 0089872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,008982E6), ref: 00898736

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 07c64bd0bfd9968a8e49cf8275486b3017704978f10f939a3df15450748e23f2
Instruction ID: c3ebcec8919de8061b0c218d80a2490160c44f37a80c77cba449cabeb6b6159f
Opcode Fuzzy Hash: 07c64bd0bfd9968a8e49cf8275486b3017704978f10f939a3df15450748e23f2
Instruction Fuzzy Hash: 60E08676611212EBEB206FF15D0CF567BBEFF51B92F144828B745CA041DB348445C750

Function 00865DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00865DAD

Part of subcall function 008699C4: GetLastError.KERNEL32(00000000,00860DD3,00868B2D,008657A3,?,?,00860DD3,?), ref: 008699C6
Part of subcall function 008699C4: __calloc_crt.LIBCMT ref: 008699E7
Part of subcall function 008699C4: __initptd.LIBCMT ref: 00869A09
Part of subcall function 008699C4: GetCurrentThreadId.KERNEL32 ref: 00869A10
Part of subcall function 008699C4: SetLastError.KERNEL32(00000000,00860DD3,?), ref: 00869A28

CloseHandle.KERNEL32(?,?,00865D8C), ref: 00865DC1
__freeptd.LIBCMT ref: 00865DC8
ExitThread.KERNEL32 ref: 00865DD0

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 4169687693-0
Opcode ID: fd6593eed444ea37bd29dc4a327c517bec91e33c203ff77774d8e950f7423929
Instruction ID: 592ab4521737851998f30dbc6c3b8fd3b78fa7e2c0766f2582ec7d58adfbd0c1
Opcode Fuzzy Hash: fd6593eed444ea37bd29dc4a327c517bec91e33c203ff77774d8e950f7423929
Instruction Fuzzy Hash: 9ED0A731001F11A7D23227348C0EB293668FF00761F064229F1A5C51F18B305802CA42

Function 0089B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0089B4BE

Strings

Container, xrefs: 0089B43B
AutoIt3GUI, xrefs: 0089B436

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 42e226b304855ba333bc2b376f44ed3319500f4f17f4dd838c71fc30947393ee
Instruction ID: 8624fa83ec30304505aa0ea97e62b57bcd3135ee102a766e5931840a59d5b0f1
Opcode Fuzzy Hash: 42e226b304855ba333bc2b376f44ed3319500f4f17f4dd838c71fc30947393ee
Instruction Fuzzy Hash: 8E914870200605EFDB14EF68D984A6ABBE5FF49710F24856EF94ACB391DB70E841CB50

Function 008AAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0085FC86: _wcscpy.LIBCMT ref: 0085FCA9

Part of subcall function 00849837: __itow.LIBCMT ref: 00849862
Part of subcall function 00849837: __swprintf.LIBCMT ref: 008498AC

__wcsnicmp.LIBCMT ref: 008AB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008AB0F6

Strings

LPT, xrefs: 008AB027

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 99464d2074ec2ca63d5ae0f1e7a857867457e858730e1ba52ed04282812d273c
Instruction ID: f480bccf530befa9766872d89d5ac98c237e5d31edfe0df77d35a4214b6267aa
Opcode Fuzzy Hash: 99464d2074ec2ca63d5ae0f1e7a857867457e858730e1ba52ed04282812d273c
Instruction Fuzzy Hash: 12618F75A00219AFDB14DF98C8A1EAEB7B4FF09310F10406AF956EB792D770AE44CB51

Function 00852957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00852968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00852981

Strings

@, xrefs: 00852975

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ecbafaa564f3791532ddf052c12fdaf5f2161f165e4a8553d0bdde52402715f6
Instruction ID: 526a7c1e381f41b0ec68b118b21b584c2cf096d80933f08947e303818ae17f18
Opcode Fuzzy Hash: ecbafaa564f3791532ddf052c12fdaf5f2161f165e4a8553d0bdde52402715f6
Instruction Fuzzy Hash: 2B5138714187489BD320EF18D886BAFBBE8FF85344F42885DF2D9811A1DB718529CB67

Function 008A9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00844F0B: __fread_nolock.LIBCMT ref: 00844F29

_wcscmp.LIBCMT ref: 008A9824
_wcscmp.LIBCMT ref: 008A9837

Strings

FILE, xrefs: 008A9770

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: a2c74d6753fc8bbcf829f74c4916750083ac4249097058f1b06c4637829b341d
Instruction ID: 491f4bd04aaee264e11d0b302606fe02cc6b428384ec44005c104c82ff4cdc15
Opcode Fuzzy Hash: a2c74d6753fc8bbcf829f74c4916750083ac4249097058f1b06c4637829b341d
Instruction Fuzzy Hash: 56419471A0421DBAEF219BA4CC45FEFBBB9FF86710F014479F904E7181EA759A048B61

Function 008B258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008B259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008B25D4

Strings

|, xrefs: 008B25A5

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 66549f98c1771aa9c225be93b9c230b5d98ffa9d76c2027a01b3853c7e53f7df
Instruction ID: 279a23542a42161aad32b17bb00d91ad15c68d1088955a1802e551f5388c3829
Opcode Fuzzy Hash: 66549f98c1771aa9c225be93b9c230b5d98ffa9d76c2027a01b3853c7e53f7df
Instruction Fuzzy Hash: B131F47180011DABCF11AFA4CC85EEEBFB9FF18350F104069E915AA262EB315956DB61

Function 008C7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 008C7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008C7B76

Strings

', xrefs: 008C7ACA

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4629e6c0c6c47fe47cdf227c284e438cd22ae226749a109fe6e7e5340ff02a48
Instruction ID: 10389604879833145b10a42a67f19a8cf47aed4560336019372038fe63212d37
Opcode Fuzzy Hash: 4629e6c0c6c47fe47cdf227c284e438cd22ae226749a109fe6e7e5340ff02a48
Instruction Fuzzy Hash: 1B41E674A0521A9FDB14CF68C981FEABBB9FB08314F14416AE904EB391E771A951CF90

Function 008C6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008C6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008C6B53

Strings

static, xrefs: 008C6AB3

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1271a76bb3fcb3b3f20be3bc62a9fe2798a6d7c4cdc3e18f6b3aaffccd01da5a
Instruction ID: 4267918b2d5ac69adade6daaa2bd36f1056e2b56ddb749eeb8aa1ff84aadbb7e
Opcode Fuzzy Hash: 1271a76bb3fcb3b3f20be3bc62a9fe2798a6d7c4cdc3e18f6b3aaffccd01da5a
Instruction Fuzzy Hash: 85315C71100608AAEB109F68D841FBB77B9FF48764F10862DF9A5D7191DA31EC91DB60

Function 008A28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008A294C

Strings

0, xrefs: 008A290A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: aff5f1676911a54bdf9cb096c4030f45c535af77649df5ecf65765e6063e1bca
Instruction ID: 482951044a39badb318112cfe7fc49829d103de8dc574066f53a4c1d87654ce4
Opcode Fuzzy Hash: aff5f1676911a54bdf9cb096c4030f45c535af77649df5ecf65765e6063e1bca
Instruction Fuzzy Hash: EA319C316003099BFB348E5CC985FAFBFA9FF46750F180069E985E65A1E7709941CB51

Function 008B39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 008B3A66

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 008B3A58
, $, xrefs: 008B3AA6

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 5bd3c4cfebb42738dc96b4ed9bb81d9851f8f774ff8b050a0fe7f1e1ba4b30f0
Instruction ID: ba948b13231a870e06efc61143ec9c68601c6d3948289a3c5d41709712d57bac
Opcode Fuzzy Hash: 5bd3c4cfebb42738dc96b4ed9bb81d9851f8f774ff8b050a0fe7f1e1ba4b30f0
Instruction Fuzzy Hash: 68215C3160062DAFCF10EFA8CC82AAE77B9FF44710F600454E555EB282DB34EA55CB62

Function 008C66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008C6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008C676C

Strings

Combobox, xrefs: 008C672E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 394ee815e9aa17f1e88a53dbbdb403a3c6cd4b6fc9e33eac410d8665598ad634
Instruction ID: d69a7a9efa007045fec7dd45fc9bc2b08b12c707292d5b85d8dc1b278dd6a311
Opcode Fuzzy Hash: 394ee815e9aa17f1e88a53dbbdb403a3c6cd4b6fc9e33eac410d8665598ad634
Instruction Fuzzy Hash: FC119071200208AFEF118F54CC81FBB377AFB48368F100629F918D7290E631DC6197A0

Function 008C6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00841D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00841D73
Part of subcall function 00841D35: GetStockObject.GDI32(00000011), ref: 00841D87
Part of subcall function 00841D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00841D91

GetWindowRect.USER32(00000000,?), ref: 008C6C71
GetSysColor.USER32(00000012), ref: 008C6C8B

Strings

static, xrefs: 008C6C4E

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: bfb8e8443fbf3d818f32a0f26d0d7af28d6b877f94d0c42bd0c6b88e28b5e091
Instruction ID: a72048441b14b1ae043f204c82d3e93314593d230ac25ef9b2d8ff5b4daa2954
Opcode Fuzzy Hash: bfb8e8443fbf3d818f32a0f26d0d7af28d6b877f94d0c42bd0c6b88e28b5e091
Instruction Fuzzy Hash: 0821F672610209AFEF04DFA8CC45EEA7BB9FB08314F014629FA95D2251E635E861DB61

Function 008C6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008C69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008C69B1

Strings

edit, xrefs: 008C6986

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ecf526e153634f2a37cf3d1f896f319bf49797ca6c35c5c31df9bd9089c6f45f
Instruction ID: 109222a6969e68378cbf1b252ecca8312474306a08ac52610eedad2d05ddfa17
Opcode Fuzzy Hash: ecf526e153634f2a37cf3d1f896f319bf49797ca6c35c5c31df9bd9089c6f45f
Instruction Fuzzy Hash: 8A116D71510108ABEB108E749C45FAB3B7AFB05378F504728FAA5D61E0D731DC65AB60

Function 008A29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008A2A41

Strings

0, xrefs: 008A2A18

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9b17b056a6fe93f13d33e7bf25ad037d247840c061893d971fd5bf57090fe384
Instruction ID: a8bc64ece9367c7328a1e891762518cf1a7d79f42dcfce2ce510a91589b026d2
Opcode Fuzzy Hash: 9b17b056a6fe93f13d33e7bf25ad037d247840c061893d971fd5bf57090fe384
Instruction Fuzzy Hash: B911D332A05128ABEF30DA5CD844B9A77B9FB46314F055021ED55E7690D730BD06CB91

Function 008B21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008B222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008B2255

Strings

<local>, xrefs: 008B221D

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 66ceb498260c418794432be0bb31003795ad32da5f5c49fc3625adad12af06cd
Instruction ID: 9246e25141df89f150091e36f47ca5f3000d341a560ba13fab732fc5f1f308ea
Opcode Fuzzy Hash: 66ceb498260c418794432be0bb31003795ad32da5f5c49fc3625adad12af06cd
Instruction Fuzzy Hash: 3D11C270541229BADB258F558C84EFBFBA8FF16755F10822AFA15D6600D3706990D6F0

Function 008B7D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008B7FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008B7DB3,?,00000000,?,?), ref: 008B800D

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008B7DB6
htons.WSOCK32(00000000,?,00000000), ref: 008B7DF3

Strings

255.255.255.255, xrefs: 008B7DCE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 6fea0df0c8adf78dd94c5b63f692ccfa943b0a4b72fd20a5d20d3167103c7388
Instruction ID: ffa4ee6399d87c91951ca34ef55338e0a8e470742d2e2a3a487ff754d9deb5b0
Opcode Fuzzy Hash: 6fea0df0c8adf78dd94c5b63f692ccfa943b0a4b72fd20a5d20d3167103c7388
Instruction Fuzzy Hash: 15118234504309ABDB20AFA8DC86FFEB725FF44720F14455AEA11D7392DA71A9108691

Function 00898E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00898E73

Strings

ListBox, xrefs: 00898E3D
ComboBox, xrefs: 00898E12

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c0a34aca75a0afc5af8083cbde2ef58241ef2662d04b0cb2c9c69e4d0ebc20c0
Instruction ID: ed22399ee1082eb765de68e78ea4ef0e5809c35988a7102e693dec1e33836ce4
Opcode Fuzzy Hash: c0a34aca75a0afc5af8083cbde2ef58241ef2662d04b0cb2c9c69e4d0ebc20c0
Instruction Fuzzy Hash: 7101D271A0122DAB9F14BBA8CC519FE7769FF06320B080619F831E73D2EE355808C651

Function 00898CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00898D6B

Strings

ListBox, xrefs: 00898D35
ComboBox, xrefs: 00898D0A

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8112dc0db5b01c5e4b318cca9cdf34908cd6c8e2e59e09e559f959d7c3852c44
Instruction ID: 4d075f3df31faf85dde4c40d531f10330095b00f56fdfc825238689003fb2df4
Opcode Fuzzy Hash: 8112dc0db5b01c5e4b318cca9cdf34908cd6c8e2e59e09e559f959d7c3852c44
Instruction Fuzzy Hash: 9801D4B1A4110DABDF14FBA4C952EFE77A8FF16340F140029B901E32D2EE245E08D2B2

Function 00898D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847DE1: _memmove.LIBCMT ref: 00847E22

Part of subcall function 0089AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0089AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00898DEE

Strings

ListBox, xrefs: 00898DBA
ComboBox, xrefs: 00898D8F

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9284f1319a4972290ef332fc47e9431ea364ea2730af047c8903bc9e992421b1
Instruction ID: 79cbe5dff9a6cdb520d0ee57b7309944dd8382409a48f693445217bcad8a00d2
Opcode Fuzzy Hash: 9284f1319a4972290ef332fc47e9431ea364ea2730af047c8903bc9e992421b1
Instruction Fuzzy Hash: C701A771A5110DA7DF15F6A8C942EFE77A8FF16340F140015B805F3292DE254E08D272

Function 008A4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008A4F46
_wcscmp.LIBCMT ref: 008A4F58

Strings

#32770, xrefs: 008A4F52

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 613c3e18e4fa1b2bd5d06523226c57e2aab06261f87d373c43e12fcf4b2cc401
Instruction ID: 03bb51113b2a1c1e609e6ca2729c1152cc11d0a44d0a93df63d640e2b6cd1106
Opcode Fuzzy Hash: 613c3e18e4fa1b2bd5d06523226c57e2aab06261f87d373c43e12fcf4b2cc401
Instruction Fuzzy Hash: 82E02B325042282BE71097999C09EA7F7ACFB45B20F000016FD00D3041DA609A058BD0

Function 0087B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0087B314: _memset.LIBCMT ref: 0087B321

Part of subcall function 00860940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0087B2F0,?,?,?,0084100A), ref: 00860945

IsDebuggerPresent.KERNEL32(?,?,?,0084100A), ref: 0087B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0084100A), ref: 0087B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0087B2FE

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: bb1affba04200ebd718843690fdfdc478a404a09850317f62eb42ca3c19dbc2e
Instruction ID: be3d2db30649ba30dd21f8c56efb65b7ab1079dc760f2c49bdb109f21090f69b
Opcode Fuzzy Hash: bb1affba04200ebd718843690fdfdc478a404a09850317f62eb42ca3c19dbc2e
Instruction Fuzzy Hash: 5EE06D70200B558FE720DF69E4047427AE9FF00704F01892CE55AC7342EBB4D448CFA1

Function 00897C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00897C82

Part of subcall function 00863358: _doexit.LIBCMT ref: 00863362

Strings

Error allocating memory., xrefs: 00897C7B
AutoIt, xrefs: 00897C76

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 4c4629b788aeb9a913be2298eff3dab241f566361c09b45fb7891c052df97f43
Instruction ID: 67b59ab25ae649b74498e8b89d0821c3b2ea4949632c0f526c6add579e834f36
Opcode Fuzzy Hash: 4c4629b788aeb9a913be2298eff3dab241f566361c09b45fb7891c052df97f43
Instruction Fuzzy Hash: CAD0123239431836E21532AD6D07FDA7648EF15B56F040416FB14D97D349D6859051AA

Function 00881935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00881775

Part of subcall function 008BBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0088195E,?), ref: 008BBFFE
Part of subcall function 008BBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008BC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0088196D

Strings

WIN_XPe, xrefs: 00881788

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 29a9ce8fcd503b63dfe20d8ca816a7a116a1ac75bfd0241da6c67e097d9aeb38
Instruction ID: ba6c75c5bc25d85954b3c3c6e6ea805dbca7753a26d95f45bfd98520bab9ba8f
Opcode Fuzzy Hash: 29a9ce8fcd503b63dfe20d8ca816a7a116a1ac75bfd0241da6c67e097d9aeb38
Instruction Fuzzy Hash: F0F0157080200DDFDB15EBA0C988AECBAB8FB08304F54049AE202E21A5CB704F85DF20

Function 008C5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008C59AE
PostMessageW.USER32(00000000), ref: 008C59B5

Part of subcall function 008A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC

Strings

Shell_TrayWnd, xrefs: 008C59A7

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b373004fcda6cc29840d8b433b79fa7bedb207b931a907b5b6fe6b171e1db6df
Instruction ID: f1dcf2a4a208499fafc7a18163b418ab18d872463afc1d0d768ba905276a44cd
Opcode Fuzzy Hash: b373004fcda6cc29840d8b433b79fa7bedb207b931a907b5b6fe6b171e1db6df
Instruction Fuzzy Hash: D5D0C931380711BBF6A4AB709C0BF966625FB15B50F000825B356EA1D1C9F4A800CA54

Function 008C5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008C596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008C5981

Part of subcall function 008A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A52BC

Strings

Shell_TrayWnd, xrefs: 008C5967

Memory Dump Source

Source File: 00000000.00000002.1719601426.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1719577897.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719680312.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719812859.00000000008FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719830436.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_prlsqnzspl.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b94fb104d910561f2b0bd9a48abaeb5165f22616af02705b3e2a11172e388c35
Instruction ID: 12b737b5e0de925e9d3778984e61159da4a00481cd06df16625160afb4d4462b
Opcode Fuzzy Hash: b94fb104d910561f2b0bd9a48abaeb5165f22616af02705b3e2a11172e388c35
Instruction Fuzzy Hash: B0D0C931384711B7F6A4AB709C0BFA66A25FB14B50F000825B35AEA1D1C9F49800CA54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report prlsqnzspl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut82AD.tmp

C:\Users\user\AppData\Local\Temp\snaith

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
prlsqnzspl.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre