Edit tour

Windows Analysis Report
ab89jay39E.exe

Overview

General Information

Sample name:	ab89jay39E.exe renamed because original name is a hash value
Original sample name:	8b62c416d91638051e30860dcb54007b.exe
Analysis ID:	1585803
MD5:	8b62c416d91638051e30860dcb54007b
SHA1:	a218e632395c6ce4cdfc2d97e2626bab01bfe38d
SHA256:	60f4e01f3ee548a1eded874bfab55c922edc1a5da9137670fc58b716f5e1b4b5
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ab89jay39E.exe (PID: 4700 cmdline: "C:\Users\user\Desktop\ab89jay39E.exe" MD5: 8B62C416D91638051E30860DCB54007B)

WerFault.exe (PID: 5860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1680 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["framekgirus.shop", "skidjazzyric.click", "abruptyopsn.shop", "wholersorie.shop", "nearycrepso.shop", "tirepublicerj.shop", "noisycuttej.shop", "cloudewahsj.shop", "rabidcowse.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:42:24.956848+0100	2028371	3	Unknown Traffic	192.168.2.9	49705	104.21.64.1	443	TCP
2025-01-08T09:42:26.189783+0100	2028371	3	Unknown Traffic	192.168.2.9	49706	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:42:25.515628+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49705	104.21.64.1	443	TCP
2025-01-08T09:42:56.407596+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49706	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:42:25.515628+0100	2049836	1	A Network Trojan was detected	192.168.2.9	49705	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:42:56.407596+0100	2049812	1	A Network Trojan was detected	192.168.2.9	49706	104.21.64.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ab89jay39E.exe

Avira: detected

Found malware configuration

Source: 0.3.ab89jay39E.exe.2170000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["framekgirus.shop", "skidjazzyric.click", "abruptyopsn.shop", "wholersorie.shop", "nearycrepso.shop", "tirepublicerj.shop", "noisycuttej.shop", "cloudewahsj.shop", "rabidcowse.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: ab89jay39E.exe	Virustotal: Detection: 38%			Perma Link
Source: ab89jay39E.exe	ReversingLabs: Detection: 56%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ab89jay39E.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ab89jay39E.exe

Unpacked PE file: 0.2.ab89jay39E.exe.400000.0.unpack

Source: ab89jay39E.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ab89jay39E.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	0_2_00441816
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	0_2_0040C080
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	0_2_00417054
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	0_2_0041B021
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0041B021
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov eax, esi	0_2_0043D0D0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	0_2_0043D0D0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004438E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004438F9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004438FB
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	0_2_00422880
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebx, bx	0_2_00427885
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_0041F170
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	0_2_004421E9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	0_2_004421E9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebx, byte ptr [esi]	0_2_0041618C
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_0041BA52
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov esi, ecx	0_2_0041BA52
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0041BA52
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	0_2_00402210
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0043A230
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_004442E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00431AF5
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	0_2_0040B280
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_00440A90
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	0_2_00441B50
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00409360
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00422370
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042FB7D
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	0_2_00408320
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00419B30
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0041F3E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041B3F2
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_0041AB90
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00418BA2
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then jmp ecx	0_2_00428C62
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_00427C10
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	0_2_00444C20
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	0_2_00414C30
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_00418492
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	0_2_0043CD40
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042C5E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041B58F
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_004195B6
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_004195B6
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov edi, edx	0_2_0043E6E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx eax, word ptr [edx]	0_2_0043E6E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, edx	0_2_00430F4E
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, edx	0_2_00430F54
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_0041A770
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, edx	0_2_00430F03
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042F716
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407730
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407730
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	0_2_00427FC0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	0_2_00427FC0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004437D0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	0_2_0042A7F0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov edx, ecx	0_2_0042A7F0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_00427FFD
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov edx, ecx	0_2_0042AF92
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0042AF92
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov edx, ecx	0_2_0042AFB0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	0_2_020E5202
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_020E921E
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_020FB247
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_020F8264
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	0_2_020EB288
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_020EB288
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	0_2_020F829E
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	0_2_020E72BB
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	0_2_020DC2E7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov eax, esi	0_2_0210D337
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	0_2_0210D337
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_020EF3D7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, edx	0_2_0210116A
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, edx	0_2_021011B5
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, edx	0_2_021011BB
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_020EF647
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_020EB659
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	0_2_020F8677
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp al, 20h	0_2_020D275E
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_020EB7F6
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	0_2_020D2477
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0210A497
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	0_2_020DB4E7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov edi, dword ptr [esp+18h]	0_2_020E5527
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_02114547
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	0_2_020D8587
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_020D95C7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_020F25D7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov edi, edx	0_2_0210EA3F
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	0_2_020F2AE7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ebx, bx	0_2_020F7B02
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx eax, word ptr [edx]	0_2_0210EB27
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_020E981D
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_020E981D
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_020FC847
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_020E886C
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_020FF97D
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_020D7997
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_020D7997
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_020EA9D7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_020F7E77
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	0_2_02114E87
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then jmp ecx	0_2_020F8EB2
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov edx, ecx	0_2_020FAF50
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	0_2_0210CFA7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	0_2_020FAC89
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_020EBCB9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov esi, ecx	0_2_020EBCB9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_020EBCB9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_02110CF7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_020FFDE4
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 4x nop then mov ecx, eax	0_2_020EADF7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49706 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49706 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49705 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49705 -> 104.21.64.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop

Source: Joe Sandbox View

IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49706 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49705 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: skidjazzyric.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: skidjazzyric.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click

Source: ab89jay39E.exe, 00000000.00000003.1841930866.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: ab89jay39E.exe, 00000000.00000002.1977868355.000000000067D000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1842030843.000000000067C000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1841946557.0000000000670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/
Source: ab89jay39E.exe, 00000000.00000003.1841946557.0000000000637000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000002.1977800258.0000000000639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/%7
Source: ab89jay39E.exe, 00000000.00000002.1977800258.0000000000659000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1841946557.0000000000670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/api
Source: ab89jay39E.exe, 00000000.00000002.1977644575.000000000062A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/apiI
Source: ab89jay39E.exe, 00000000.00000002.1977868355.000000000067D000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1842030843.000000000067C000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1841946557.0000000000670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/apiO

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\ab89jay39E.exe

Code function: 0_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00437A60

Source: C:\Users\user\Desktop\ab89jay39E.exe

Code function: 0_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00437A60

Source: C:\Users\user\Desktop\ab89jay39E.exe

Code function: 0_2_00437C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00437C10

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00408A60	0_2_00408A60
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00437850	0_2_00437850
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041906A	0_2_0041906A
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00426010	0_2_00426010
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043D0D0	0_2_0043D0D0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004438E0	0_2_004438E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004180F0	0_2_004180F0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004438F9	0_2_004438F9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004438FB	0_2_004438FB
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00427885	0_2_00427885
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041D8B0	0_2_0041D8B0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00406950	0_2_00406950
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00444950	0_2_00444950
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0040E16E	0_2_0040E16E
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0040D172	0_2_0040D172
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043210B	0_2_0043210B
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00403910	0_2_00403910
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00429917	0_2_00429917
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00406120	0_2_00406120
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0040B92C	0_2_0040B92C
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042F1C1	0_2_0042F1C1
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004239EB	0_2_004239EB
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00421180	0_2_00421180
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041618C	0_2_0041618C
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043099F	0_2_0043099F
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041F9A0	0_2_0041F9A0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041D1B0	0_2_0041D1B0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042E9B0	0_2_0042E9B0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041BA52	0_2_0041BA52
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043025E	0_2_0043025E
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042621B	0_2_0042621B
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042BA20	0_2_0042BA20
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00417222	0_2_00417222
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00443A30	0_2_00443A30
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004042C0	0_2_004042C0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00443AC0	0_2_00443AC0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004302CD	0_2_004302CD
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0040F2D0	0_2_0040F2D0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004442E0	0_2_004442E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0040B280	0_2_0040B280
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004352B0	0_2_004352B0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00402B40	0_2_00402B40
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00443B60	0_2_00443B60
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00409B70	0_2_00409B70
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00422370	0_2_00422370
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00429B7B	0_2_00429B7B
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042FB7D	0_2_0042FB7D
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00405B00	0_2_00405B00
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00440B00	0_2_00440B00
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00428B10	0_2_00428B10
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00419B30	0_2_00419B30
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00421B30	0_2_00421B30
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00411BDE	0_2_00411BDE
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004123EC	0_2_004123EC
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00418BA2	0_2_00418BA2
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00428C62	0_2_00428C62
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043C460	0_2_0043C460
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043B410	0_2_0043B410
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00441C26	0_2_00441C26
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00444C20	0_2_00444C20
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004064C0	0_2_004064C0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042F4E1	0_2_0042F4E1
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004324EE	0_2_004324EE
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041D4A0	0_2_0041D4A0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00408D10	0_2_00408D10
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043E520	0_2_0043E520
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00442DCA	0_2_00442DCA
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00415DD8	0_2_00415DD8
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00425DA0	0_2_00425DA0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004085B0	0_2_004085B0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00409660	0_2_00409660
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00404E20	0_2_00404E20
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043C6C0	0_2_0043C6C0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043E6E0	0_2_0043E6E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004186E5	0_2_004186E5
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00444680	0_2_00444680
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0041DE90	0_2_0041DE90
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043CE90	0_2_0043CE90
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00428750	0_2_00428750
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0043DF60	0_2_0043DF60
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00429F7C	0_2_00429F7C
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00433707	0_2_00433707
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00402F10	0_2_00402F10
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00425713	0_2_00425713
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042F716	0_2_0042F716
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00407730	0_2_00407730
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00427FC0	0_2_00427FC0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004437D0	0_2_004437D0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00433FDF	0_2_00433FDF
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004127E0	0_2_004127E0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042A7F0	0_2_0042A7F0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_00434FF0	0_2_00434FF0
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0042AF92	0_2_0042AF92
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02105257	0_2_02105257
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02104246	0_2_02104246
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210D337	0_2_0210D337
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020E8357	0_2_020E8357
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02102372	0_2_02102372
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D6387	0_2_020D6387
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020DD3D9	0_2_020DD3D9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020DE3D5	0_2_020DE3D5
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020F13E7	0_2_020F13E7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020E603F	0_2_020E603F
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D5087	0_2_020D5087
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210D0F7	0_2_0210D0F7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020EE0F7	0_2_020EE0F7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210E1C7	0_2_0210E1C7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020E2653	0_2_020E2653
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210B677	0_2_0210B677
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210C6C7	0_2_0210C6C7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020ED707	0_2_020ED707
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D6727	0_2_020D6727
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02102755	0_2_02102755
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FF748	0_2_020FF748
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210E787	0_2_0210E787
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020ED417	0_2_020ED417
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FF428	0_2_020FF428
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_021004C5	0_2_021004C5
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020DB4E7	0_2_020DB4E7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02105517	0_2_02105517
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02100534	0_2_02100534
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D4527	0_2_020D4527
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020DF537	0_2_020DF537
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02114547	0_2_02114547
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020F25D7	0_2_020F25D7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020E2A47	0_2_020E2A47
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FAA57	0_2_020FAA57
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02107AB7	0_2_02107AB7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020F7B02	0_2_020F7B02
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020EDB17	0_2_020EDB17
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D3B77	0_2_020D3B77
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02114BB7	0_2_02114BB7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D6BB7	0_2_020D6BB7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D8817	0_2_020D8817
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D98C7	0_2_020D98C7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_021148E7	0_2_021148E7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210C927	0_2_0210C927
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020E7950	0_2_020E7950
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FF97D	0_2_020FF97D
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0210396E	0_2_0210396E
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D7997	0_2_020D7997
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020F89B7	0_2_020F89B7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020E1E45	0_2_020E1E45
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02114E87	0_2_02114E87
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D8F77	0_2_020D8F77
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020EFC07	0_2_020EFC07
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02100C06	0_2_02100C06
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FEC17	0_2_020FEC17
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020F3C52	0_2_020F3C52
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FAC89	0_2_020FAC89
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FBC87	0_2_020FBC87
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020EBCB9	0_2_020EBCB9
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D8CC7	0_2_020D8CC7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D5D67	0_2_020D5D67
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02110D67	0_2_02110D67
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020F1D97	0_2_020F1D97
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D2DA7	0_2_020D2DA7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D9DD7	0_2_020D9DD7
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020FFDE4	0_2_020FFDE4
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020E7DFA	0_2_020E7DFA

Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: String function: 020E4E87 appears 145 times
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: String function: 00408280 appears 47 times
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: String function: 020D84E7 appears 71 times
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: String function: 00414C20 appears 145 times

Source: C:\Users\user\Desktop\ab89jay39E.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1680

Source: ab89jay39E.exe, 00000000.00000000.1513483406.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOrihinal4 vs ab89jay39E.exe
Source: ab89jay39E.exe	Binary or memory string: OriginalFilenamesOrihinal4 vs ab89jay39E.exe

Source: ab89jay39E.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: ab89jay39E.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WER1CC1.tmp.dmp.5.dr

Binary string: \Device\HarddiskVolume3\Users\user\Desktop\ab89jay39E.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\ab89jay39E.exe

Code function: 0_2_020A07A6 CreateToolhelp32Snapshot,Module32First,

0_2_020A07A6

Source: C:\Users\user\Desktop\ab89jay39E.exe

Code function: 0_2_0043D0D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_0043D0D0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4700

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\cb736a4b-8b57-45ec-b498-23a464c455b2

Jump to behavior

Source: ab89jay39E.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ab89jay39E.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ab89jay39E.exe	Virustotal: Detection: 38%
Source: ab89jay39E.exe	ReversingLabs: Detection: 56%

Source: C:\Users\user\Desktop\ab89jay39E.exe

File read: C:\Users\user\Desktop\ab89jay39E.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ab89jay39E.exe "C:\Users\user\Desktop\ab89jay39E.exe"
Source: C:\Users\user\Desktop\ab89jay39E.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1680

Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\ab89jay39E.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\ab89jay39E.exe

Unpacked PE file: 0.2.ab89jay39E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ab89jay39E.exe

Unpacked PE file: 0.2.ab89jay39E.exe.400000.0.unpack

Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_004499A1 push esp; ret	0_2_004499A2
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_0044AAD0 push ecx; retn 0041h	0_2_0044AAD5
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020A2361 push 00000004h; ret	0_2_020A2375
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020A30C7 push 0F56897Eh; iretd	0_2_020A30DF
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020A646F push ebp; ret	0_2_020A6470
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020A3CDA push esi; retn 001Ch	0_2_020A3CDE
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_02101A8C pushad ; retf 0044h	0_2_02101A93

Source: ab89jay39E.exe

Static PE information: section name: .text entropy: 7.834974687985642

Source: C:\Users\user\Desktop\ab89jay39E.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ab89jay39E.exe TID: 4864	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\ab89jay39E.exe TID: 4392	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: ab89jay39E.exe, 00000000.00000002.1977800258.0000000000670000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1841946557.0000000000670000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: ab89jay39E.exe, 00000000.00000002.1977644575.000000000062A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHCg%SystemRoot%\system32\mswsock.dllx
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\ab89jay39E.exe

Code function: 0_2_00442080 LdrInitializeThunk,

0_2_00442080

Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020A0083 push dword ptr fs:[00000030h]	0_2_020A0083
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D092B mov eax, dword ptr fs:[00000030h]	0_2_020D092B
Source: C:\Users\user\Desktop\ab89jay39E.exe	Code function: 0_2_020D0D90 mov eax, dword ptr fs:[00000030h]	0_2_020D0D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: ab89jay39E.exe	String found in binary or memory: cloudewahsj.shop
Source: ab89jay39E.exe	String found in binary or memory: rabidcowse.shop
Source: ab89jay39E.exe	String found in binary or memory: noisycuttej.shop
Source: ab89jay39E.exe	String found in binary or memory: tirepublicerj.shop
Source: ab89jay39E.exe	String found in binary or memory: framekgirus.shop
Source: ab89jay39E.exe	String found in binary or memory: wholersorie.shop
Source: ab89jay39E.exe	String found in binary or memory: abruptyopsn.shop
Source: ab89jay39E.exe	String found in binary or memory: nearycrepso.shop
Source: ab89jay39E.exe	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\ab89jay39E.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ab89jay39E.exe	39%	Virustotal		Browse
ab89jay39E.exe	57%	ReversingLabs	Win32.Trojan.Generic
ab89jay39E.exe	100%	Avira	HEUR/AGEN.1306978
ab89jay39E.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://skidjazzyric.click/apiO	0%	Avira URL Cloud	safe
https://skidjazzyric.click/%7	0%	Avira URL Cloud	safe
https://skidjazzyric.click/	0%	Avira URL Cloud	safe
skidjazzyric.click	0%	Avira URL Cloud	safe
https://skidjazzyric.click/api	0%	Avira URL Cloud	safe
https://skidjazzyric.click/apiI	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
skidjazzyric.click	104.21.64.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://skidjazzyric.click/api	true	Avira URL Cloud: safe	unknown
framekgirus.shop	false		high
skidjazzyric.click	true	Avira URL Cloud: safe	unknown
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://skidjazzyric.click/%7	ab89jay39E.exe, 00000000.00000003.1841946557.0000000000637000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000002.1977800258.0000000000639000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	ab89jay39E.exe, 00000000.00000003.1841930866.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/apiO	ab89jay39E.exe, 00000000.00000002.1977868355.000000000067D000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1842030843.000000000067C000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1841946557.0000000000670000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://skidjazzyric.click/	ab89jay39E.exe, 00000000.00000002.1977868355.000000000067D000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1842030843.000000000067C000.00000004.00000020.00020000.00000000.sdmp, ab89jay39E.exe, 00000000.00000003.1841946557.0000000000670000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://skidjazzyric.click/apiI	ab89jay39E.exe, 00000000.00000002.1977644575.000000000062A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	skidjazzyric.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585803
Start date and time:	2025-01-08 09:41:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ab89jay39E.exe renamed because original name is a hash value
Original Sample Name:	8b62c416d91638051e30860dcb54007b.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 14 Number of non-executed functions: 211
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 52.149.20.212, 40.126.31.73, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:42:24	API Interceptor	2x Sleep call for process: ab89jay39E.exe modified
03:43:09	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	172.64.41.3
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://tom18860.s3.ap-northeast-1.amazonaws.com/%E6%9F%A5%E8%AF%A2%E6%96%87%E4%BB%B6.rar	Get hash	malicious	GhostRat	Browse	1.1.1.1
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	104.21.80.1
	https://mitra-led.com/	Get hash	malicious	Unknown	Browse	104.21.96.1
	YOUR TV LICENCE STATEMENT.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.flamingoblv.com/bdAHAKrXFqXFQCYuPG6x8vSTVrU9FI7svGtQIOtbZGb5Zz82nKKGDoG-o7UnwphbBQK1zePMgTPfELKVecsIqQ~~	Get hash	malicious	Unknown	Browse	172.67.160.100
	https://www.overflix.gay/ksisjep	Get hash	malicious	Unknown	Browse	104.21.76.17
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	3.elf	Get hash	malicious	Unknown	Browse	1.4.26.56

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	socolo.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.64.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ab89jay39E.exe_43ac3acd26b4b783eff79ce85ceaf6cb640f5fe_f7720af9_1e63598c-746d-4f38-b4f0-86f8240766fe\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9694782307633123
Encrypted:	false
SSDEEP:	192:de4T60FmEDcJjvEmmzuiFcDZ24IO8APV:NTBFmEMjozuiFcDY4IO8Q
MD5:	9FB3EAD850D3494A0C6199D766309D9A
SHA1:	D511B0CBCCBC955DF1455E27E66EBFCF7BFD887B
SHA-256:	8FC2F3449CF4E2EA12C57B4F0F7A92006BEE2326A14EE84D513148FC6723E5AB
SHA-512:	56E5A2C0FDC7524376205F7947BC791A92A9D8CA8E3120CC22EC760F1DFAC2BE846A8F14406A8BB861BB8718FEA816084521C41AC48EC18B1383E5D7448B110D
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.7.9.9.3.7.6.2.5.4.8.8.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.7.9.9.3.7.7.0.9.8.6.4.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.6.3.5.9.8.c.-.7.4.6.d.-.4.f.3.8.-.b.4.f.0.-.8.6.f.8.2.4.0.7.6.6.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.2.c.1.6.3.e.-.c.5.6.8.-.4.d.9.5.-.b.2.5.2.-.e.e.a.0.d.e.1.c.5.6.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.b.8.9.j.a.y.3.9.E...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.5.c.-.0.0.0.1.-.0.0.1.4.-.0.6.e.c.-.7.8.3.c.a.9.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.0.4.c.6.5.1.0.2.a.2.e.b.9.6.6.b.c.8.6.1.0.e.e.c.3.9.3.7.5.f.2.0.0.0.0.f.f.f.f.!.0.0.0.0.a.2.1.8.e.6.3.2.3.9.5.c.6.c.e.4.c.d.f.c.2.d.9.7.e.2.6.2.6.b.a.b.0.1.b.f.e.3.8.d.!.a.b.8.9.j.a.y.3.9.E...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CC1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 8 08:42:56 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	47351
Entropy (8bit):	2.786430021812939
Encrypted:	false
SSDEEP:	192:mQ8ZgXurwLT56Ox1BrLi3jAfCnV3sautEjhPnnnN54cOQEA/zL1msDx2x+iHhA/O:NirwLT3TBnis6dsjqVOuxDxYRhe5A
MD5:	F801A884B132FEAC774D708C096EE53D
SHA1:	938334555A80E74735C66B9A9FF147351AFCBB7C
SHA-256:	3D8D6F85C1EE8589E24636DD01B8674C8FF497CF6883411EEE9A268E1909BFC6
SHA-512:	1D0D2879B9470EA6F6A781E9224AC1D097A60A3C6EDFA2A51C06E296858A5CDDEE98FFD72BBBFFF7E8A9EC7EFFEF55D143D30F8A4BB4127A120B3DF786F4E141
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........:~g............4...............H.......<...........D....,..........`.......8...........T............?..wy..........P...........< ..............................................................................eJ....... ......GenuineIntel............T.......\...n:~g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EC5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8312
Entropy (8bit):	3.696376745909622
Encrypted:	false
SSDEEP:	192:R6l7wVeJlB6q3l6YcDRSUTAGgmfGipDj89b75sfPJm:R6lXJT6q3l6YmSUVgmfGr7Sf8
MD5:	4295194F47D886CBECD834AB10B68DCA
SHA1:	3D1065EB736649312EEA592E3F93D9F0A4A6EF2A
SHA-256:	6478323435D180F18377005837D099B22628031C102500E8BC804B3B88E87FC9
SHA-512:	C7E7B3E24E1C4E75E37B312C221B96F05038C15C41F847BDB4BE3128D45023EA94B7FF22EFD4A25B013472F1C65D581DC3340C9E0525D8C12FFBDBA3D9F6DBAD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EF5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.454925786368761
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg77aI9lSWpW8VYB6vYm8M4J/RF5o+q8ECVODIDUd:uIjfEI7Xz7VCJW4UUDUd
MD5:	8EA5421AE37D1D0E4A340254DCDC3A0B
SHA1:	02FEC30534DF8C2F1407CA99E7C36D1007EDC6A0
SHA-256:	378601B4F2EF8C110EE4A9AC9884E87C6AEB1EA9B52A3D78E9A45B3D5872F9D5
SHA-512:	63FA2BBD4193D47F82AEC3BE9E2CA8C55BD59DDB30BE482A696FF64323EE478DC8AEB0F98C2735BC474DFA54CB638BB9E970CA5E87E73364EFF1DE619DC2C639
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666705" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.393780525973441
Encrypted:	false
SSDEEP:	6144:Ol4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNeROBSqa:O4vF0MYQUMM6VFYARU
MD5:	18CB702D8F48AA71C57BFCE308966BF6
SHA1:	B2D0251B1D327542B04846AAE128A6675B70A11A
SHA-256:	E2A4C5C10CE91F0BC0A9897315E5BBE44AEB862186DC5EF0DBE917AD4DFADA3D
SHA-512:	4CDF1F9863740F25767553D34EFB93A0FA2883FBC5B5732BCA73AC0841C1257E7A9F6769DD89AA6FECB8B4811EBD563F9C2EB648139E964284F0985DBD8519ED
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR.GP.a..............................................................................................................................................................................................................................................................................................................................................]tPd........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.280850900534798
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ab89jay39E.exe
File size:	337'920 bytes
MD5:	8b62c416d91638051e30860dcb54007b
SHA1:	a218e632395c6ce4cdfc2d97e2626bab01bfe38d
SHA256:	60f4e01f3ee548a1eded874bfab55c922edc1a5da9137670fc58b716f5e1b4b5
SHA512:	eeba20a3d40e1ef74e6757c3dfba9d680b307d0ced8876441bfbc5cbcb230d95ed4e07c7614c2bc78d95a0dc438e51912ecafbadb726320eb588d0f10e969cc0
SSDEEP:	6144:hLUg/Q3k86N9Uy7YaoEDOtWFKhKVBGtbZSg2:hgg/QEIG3oU8KTg
TLSH:	EC74F1127590D873C89A44718C34C9F5EA2FBC726E5A898733B43F6F3D31382A669365
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.....S...S...S[Y.S...S.D.S...S.D.S...S.D.S...S...S...S...S...S.D.S...S.D.S...S.D.S...SRich...S................PE..L......f...

File Icon


Icon Hash:	714941014150546b

Static PE Info

General

Entrypoint:	0x404261
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x668FBD9E [Thu Jul 11 11:10:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	3b10e24f8c96c961a509c2761fac0068

Entrypoint Preview

Instruction
call 00007FFAA052E089h
jmp 00007FFAA052B11Eh
int3
int3
int3
int3
int3
call 00007FFAA052B2DCh
xchg cl, ch
jmp 00007FFAA052B2C4h
call 00007FFAA052B2D3h
fxch st(0), st(1)
jmp 00007FFAA052B2BBh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007FFAA052B2B1h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007FFAA052B2A6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007FFAA052B2A4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007FFAA052B2A7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007FFAA052E24Fh
fstp st(0)
fld tbyte ptr [0044357Ah]
ret
fstp st(0)
or cl, cl
je 00007FFAA052B2ADh
fstp st(0)
fldpi
or ch, ch
je 00007FFAA052B2A4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007FFAA052B299h
fchs
ret
fstp st(0)
jmp 00007FFAA052E225h
fstp st(0)
mov cl, ch
jmp 00007FFAA052B2A2h
call 00007FFAA052B26Eh
jmp 00007FFAA052E230h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, FFFFFD30h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41bac	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0xac70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d58	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x188	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4148a	0x41600	860b968b7bd4fb60351a6048ef34eed2	False	0.887338671128107	data	7.834974687985642	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x43000	0x9ec8	0x6000	72c505f83ac7f156b6b71ec711abc625	False	0.0804443359375	Matlab v4 mat-file (little endian) n2, sparse, rows 0, columns 0	0.9420016872238347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0xdc70	0xae00	7f76664a573ecbd239b636bba719b598	False	0.3727325790229885	data	4.5767836262042225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x53400	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x53730	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x53888	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x54730	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x54fd8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x55570	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x56418	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x56cc0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_ICON	0x4d510	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.43550106609808104
RT_ICON	0x4e3b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5523465703971119
RT_ICON	0x4ec60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.5852534562211982
RT_ICON	0x4f328	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.6047687861271677
RT_ICON	0x4f890	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.44367219917012446
RT_ICON	0x51e38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4929643527204503
RT_ICON	0x52ee0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.5221631205673759
RT_STRING	0x57470	0x4c4	data	Romanian	Romania	0.4532786885245902
RT_STRING	0x57938	0x338	data	Romanian	Romania	0.4696601941747573
RT_ACCELERATOR	0x533b0	0x50	data	Romanian	Romania	0.8125
RT_GROUP_CURSOR	0x53860	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x55540	0x30	data			0.9375
RT_GROUP_CURSOR	0x57228	0x30	data			0.9375
RT_GROUP_ICON	0x53348	0x68	data	Romanian	Romania	0.6826923076923077
RT_VERSION	0x57258	0x218	data			0.5223880597014925

Imports

DLL	Import
KERNEL32.dll	SetLocaleInfoA, EnumCalendarInfoA, WriteConsoleInputW, InterlockedIncrement, InterlockedDecrement, GetCurrentProcess, SetComputerNameW, FindNextVolumeMountPointA, EnumTimeFormatsW, SetCommConfig, GetVersionExW, FindNextVolumeW, GetAtomNameW, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, LoadLibraryA, FindNextFileA, GetModuleHandleA, FreeEnvironmentStringsW, EnumDateFormatsW, OpenEventW, GetShortPathNameW, ReadConsoleInputW, TerminateJobObject, GetWindowsDirectoryW, GetCurrentProcessId, OpenFileMappingA, EnumCalendarInfoExA, SwitchToThread, CreateFileA, CloseHandle, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, HeapSize, ExitProcess, HeapFree, SetFilePointer, WriteFile, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, RaiseException, SetStdHandle, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW
USER32.dll	OemToCharA, DdeQueryStringA, GetWindowTextLengthA
SHELL32.dll	DragFinish

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T09:42:24.956848+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49705	104.21.64.1	443	TCP
2025-01-08T09:42:25.515628+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.9	49705	104.21.64.1	443	TCP
2025-01-08T09:42:25.515628+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49705	104.21.64.1	443	TCP
2025-01-08T09:42:26.189783+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49706	104.21.64.1	443	TCP
2025-01-08T09:42:56.407596+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.9	49706	104.21.64.1	443	TCP
2025-01-08T09:42:56.407596+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49706	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 09:42:24.462723970 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:24.462759972 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:24.462843895 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:24.465557098 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:24.465569019 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:24.956752062 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:24.956847906 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:24.973274946 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:24.973290920 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:24.973633051 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:25.016453028 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.044147968 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.044163942 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.044260025 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:25.515638113 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:25.515727043 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:25.515822887 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.530292034 CET	49705	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.530303955 CET	443	49705	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:25.710052967 CET	49706	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.710091114 CET	443	49706	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:25.710216999 CET	49706	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.710509062 CET	49706	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:25.710522890 CET	443	49706	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:26.189672947 CET	443	49706	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:26.189783096 CET	49706	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:26.191291094 CET	49706	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:26.191303968 CET	443	49706	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:26.192050934 CET	443	49706	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:26.193649054 CET	49706	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:26.193649054 CET	49706	443	192.168.2.9	104.21.64.1
Jan 8, 2025 09:42:26.193726063 CET	443	49706	104.21.64.1	192.168.2.9
Jan 8, 2025 09:42:56.407301903 CET	49706	443	192.168.2.9	104.21.64.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 09:42:24.432589054 CET	57893	53	192.168.2.9	1.1.1.1
Jan 8, 2025 09:42:24.457916975 CET	53	57893	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 09:42:24.432589054 CET	192.168.2.9	1.1.1.1	0xf01b	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 09:42:24.457916975 CET	1.1.1.1	192.168.2.9	0xf01b	No error (0)	skidjazzyric.click	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 09:42:24.457916975 CET	1.1.1.1	192.168.2.9	0xf01b	No error (0)	skidjazzyric.click	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 09:42:24.457916975 CET	1.1.1.1	192.168.2.9	0xf01b	No error (0)	skidjazzyric.click	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 09:42:24.457916975 CET	1.1.1.1	192.168.2.9	0xf01b	No error (0)	skidjazzyric.click	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 09:42:24.457916975 CET	1.1.1.1	192.168.2.9	0xf01b	No error (0)	skidjazzyric.click	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 09:42:24.457916975 CET	1.1.1.1	192.168.2.9	0xf01b	No error (0)	skidjazzyric.click	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 09:42:24.457916975 CET	1.1.1.1	192.168.2.9	0xf01b	No error (0)	skidjazzyric.click	104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

skidjazzyric.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49705	104.21.64.1	443	4700	C:\Users\user\Desktop\ab89jay39E.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 08:42:25 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: skidjazzyric.click
2025-01-08 08:42:25 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-08 08:42:25 UTC	1135	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 08:42:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ga2ohfn222ob7tkim6lkv358nd; expires=Sun, 04 May 2025 02:29:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FDM4dxFa%2FgC0j3Fslt6ZkAIq4CNvRuyBw9e6y9wr1xy41ZflidXJ4Tnn4%2BaWsZgK3GpZja3m3umyyU5ni12MsAGtd0M5pRg02LGBV%2Bz%2Fs4%2ByKL18v%2FHMnhGkP4IEPX5BGwF8mlA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8feae4e2dcf47c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=2010&rtt_var=758&sent=7&recv=8&lost=0&retrans=0&sent_bytes=3057&recv_bytes=909&delivery_rate=2159763&cwnd=219&unsent_bytes=0&cid=92ebce4822729d60&ts=572&x=0"
2025-01-08 08:42:25 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-08 08:42:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49706	104.21.64.1	443	4700	C:\Users\user\Desktop\ab89jay39E.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 08:42:26 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: skidjazzyric.click
2025-01-08 08:42:26 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f

Target ID:	0
Start time:	03:42:22
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\ab89jay39E.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ab89jay39E.exe"
Imagebase:	0x400000
File size:	337'920 bytes
MD5 hash:	8B62C416D91638051E30860DCB54007B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:42:56
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1680
Imagebase:	0xd50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	41.4%
Signature Coverage:	34.3%
Total number of Nodes:	70
Total number of Limit Nodes:	4

Executed Functions

Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A84
GetCurrentThreadId.KERNEL32 ref: 00408A8E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408B76
GetForegroundWindow.USER32 ref: 00408B8B
ExitProcess.KERNEL32 ref: 00408D07

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction ID: 695b1043c619777a8863990e744e8888075fa37916c6100b3e536846f602c71f
Opcode Fuzzy Hash: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction Fuzzy Hash: E3616873B143140BD318AE799C1635AB6D39BC5314F0F863EA995EB7D1ED7888068389

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

50, xrefs: 0040C1AD
Js, xrefs: 0040C0C1
'!, xrefs: 0040C119
FwPq, xrefs: 0040C0B9
DM_e, xrefs: 0040C083

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: a29f9b67a002a0f45ebf0d2c5d73cf8b9506a9b5be0e3ba76b97c1ae1caaee17
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: C751DAB45493808FE334CF21C991B8BBBB1BBA1304F609A0CE6D95B654CB759446CF97

Function 020A07A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 020A07CE
Module32First.KERNEL32(00000000,00000224), ref: 020A07EE

Memory Dump Source

Source File: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20a0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8d659c7b413419b2f988576143d97f6a89123ddc3dc83f07f48dd86c176834ea
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 20F0F6319003196FE7203BF5D89CB6F76E9BF49625F500128E643910C0DB70E8059E60

Function 00442080 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00441B50 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction ID: 01036c0abe53894f00a23a0b33865d1644de07ddd8768e0b6d49d0c725de61cd
Opcode Fuzzy Hash: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction Fuzzy Hash: 0F4100BA4583028BD314CF51D89035BFAE3ABC5308F19CA2DE4C95B344DAB9C5098B96

Function 00441816 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction ID: d294dc39abdefed7299eeb113bd94dd65164e84cb7974bfe8d228d73c8c27ee3
Opcode Fuzzy Hash: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction Fuzzy Hash: 1911D0792593018BD308CF55DC9136BFBE3ABC6348F19C92DE18557355CAB8C106CB5A

Function 020D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020D024D

Strings

cess, xrefs: 020D018D
kernel32.dll, xrefs: 020D008F, 020D0095

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: dca78506bd68bbaebe83f703c92878055dae886c6e97be66cdc185833bc2fdca
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 62525A74A01229DFDB64CF58C984BACBBB1BF09314F1480D9E94DAB351DB30AA95DF14

Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004423C5
GetForegroundWindow.USER32 ref: 004423E0

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction ID: 3f5cde6939bccaa2b971e6e0c262a6c41a2af89a1d69f81b939c4d59ebd80ce7
Opcode Fuzzy Hash: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction Fuzzy Hash: D3D0A7BDD114104BB2559720BC0E45F36119B9B20A304443CE4070121BEA35118E868E

Function 020D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,020D0223,?,?), ref: 020D0E19
SetErrorMode.KERNELBASE(00000000,?,?,020D0223,?,?), ref: 020D0E1E

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6694f36606793361b509c331fc2bc32e2ccd64f7af50ad39e78bfb29505a1a99
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 87D0123114522877D7412AA4DC09BCD7B5CDF05B66F008011FB0DD9080C770954046E9

Function 0040D400 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D413

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction ID: 5b8c1c1c38bc235c753b9088e917c06d101502a7d4806eff28edba5b46e46085
Opcode Fuzzy Hash: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction Fuzzy Hash: 32D05E7565014477D2146B18EC47F563658970375AF000229F663C65D1D910A915E569

Function 0040D433 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D445

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction ID: f87055a7ed73e73a39e7b0bf2bc1a884afc0d8708234b3b1202e7b1dbc502a37
Opcode Fuzzy Hash: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction Fuzzy Hash: 52D0C9787D8305B7F6685B18EC17F1632505306F61F340229B366FF6D0C9D07901961C

Function 004404B0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000001,00408C27,FDFCE302), ref: 004404C0

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction ID: a3e7d273c8645b615fb13e0d68042f64d6ea605513032f2b713a79b74872f641
Opcode Fuzzy Hash: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction Fuzzy Hash: CFC04871045220ABDA502B25EC09BCA3A68AF46662F0280A6B044A70B2C760AC82CA98

Function 020A0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 020A04B6

Memory Dump Source

Source File: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20a0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: bdc41ccda184dcb8944b69ff46fb398ea0e0b7b47c1004dea63479c10d35ad1d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3D113C79A40208EFDB01DF98C985E98BBF5AF08750F058094F9489B361D371EA50EF80

Function 0040D91E Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0040D91E

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 35d35c0cba7f4fdcfc1d5edb279c6cd9792a4e2d5ea181b845f35dcafbfe1749
Instruction ID: 2f5f970036496b3afcf1dff248c1d9f944bf8c69856188176dca10f541722c19
Opcode Fuzzy Hash: 35d35c0cba7f4fdcfc1d5edb279c6cd9792a4e2d5ea181b845f35dcafbfe1749
Instruction Fuzzy Hash: A3B0123BF18004CF8B8007E4BC044DFF370E2C12367114173D21AD1001DB35412D4696

Non-executed Functions

Function 004127E0 Relevance: 185.7, APIs: 3, Strings: 102, Instructions: 1937COMMON

Download Yara Rule

Strings

+, xrefs: 004141E2
6, xrefs: 00413B20
:, xrefs: 00413B0C
@, xrefs: 004141AA
J, xrefs: 0041359E
6, xrefs: 004133FE
]ZN, xrefs: 004142B8
H, xrefs: 0041416A
T, xrefs: 0041410A
N, xrefs: 00412E53
", xrefs: 00413726
z, xrefs: 00413F05
q, xrefs: 00413284
!, xrefs: 004141C2
E, xrefs: 00412FB2
8, xrefs: 00413B16
0, xrefs: 0041332A
z, xrefs: 00412FBA
B, xrefs: 0041419A
$, xrefs: 0041340E
D, xrefs: 00412FAA
', xrefs: 0041374E
:, xrefs: 00414212
>, xrefs: 00413AF8
D, xrefs: 0041436D
`, xrefs: 00413810
$, xrefs: 004139A3
r, xrefs: 00413EC5
A, xrefs: 00412B95
Q, xrefs: 00412921
a, xrefs: 00413158
b, xrefs: 00413F45
Z, xrefs: 004140DA
R, xrefs: 0041411A
S, xrefs: 00413289
N, xrefs: 0041358A
1, xrefs: 00413332
-, xrefs: 00414152
3, xrefs: 00412ADE
V, xrefs: 004140FA
+, xrefs: 00413406
x, xrefs: 00413F15
6, xrefs: 0041333A
*, xrefs: 00413D85
p, xrefs: 00413D1F
]ZN, xrefs: 004142B1
]ZN, xrefs: 004142C8
T, xrefs: 00413138
f, xrefs: 00413168
R, xrefs: 00413E2D
J, xrefs: 0041415A
4, xrefs: 004141D2
v, xrefs: 00413188
F, xrefs: 0041417A
D, xrefs: 004145EE
$, xrefs: 00413756
8, xrefs: 00414202
., xrefs: 0041357B
^, xrefs: 004140BA
q, xrefs: 00413D24
, xrefs: 00413736
B, xrefs: 00413576
=, xrefs: 0041299B
,, xrefs: 00413716
(, xrefs: 00413D95
X, xrefs: 004140EA
v, xrefs: 00413EA5
L, xrefs: 0041328E
9, xrefs: 00413585
|, xrefs: 00413EF5
&, xrefs: 00413746
w, xrefs: 00413D1A
%, xrefs: 00413416
1, xrefs: 00413B52
", xrefs: 0041358F
hIb, xrefs: 0041387B, 0041440A, 004144EC, 0041456A, 0041469B, 00414701
!, xrefs: 004141B2
\, xrefs: 004140CA
W, xrefs: 00413322
e, xrefs: 00413F3D
m, xrefs: 00413E7D
., xrefs: 00413B5A
d, xrefs: 00413F35
@, xrefs: 00413580
<, xrefs: 00413B02
(, xrefs: 00413EFD
4, xrefs: 00413B2A
0, xrefs: 00413B4A
w, xrefs: 00413571
2, xrefs: 00413B3A
y, xrefs: 00413E1D
M, xrefs: 00413599
p, xrefs: 00413ED5
D, xrefs: 0041418A
t, xrefs: 00413EB5
L, xrefs: 00413594
N, xrefs: 0041413A
f, xrefs: 00413F25
', xrefs: 00412C44
P, xrefs: 0041412A
~, xrefs: 00413EE5
L, xrefs: 0041414A

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$hIb$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
API String ID: 0-622296361
Opcode ID: 929ec0d66f67bc94563d27c8c109e67ec50563cbca2abddcf2ec66b0a8e82212
Instruction ID: 11c8b48c8f4a98f758d37e8cd5808665052ec381988852a9cf89f45dba9536ca
Opcode Fuzzy Hash: 929ec0d66f67bc94563d27c8c109e67ec50563cbca2abddcf2ec66b0a8e82212
Instruction Fuzzy Hash: CF03B07010C7C08AD3259B38C5883EFBFD1AB96314F188A6EE5E9873D2D7798585871B

Function 020E2A47 Relevance: 183.9, APIs: 2, Strings: 102, Instructions: 1937COMMON

Download Yara Rule

Strings

8, xrefs: 020E4469
4, xrefs: 020E4439
6, xrefs: 020E3665
2, xrefs: 020E3DA1
+, xrefs: 020E4449
=, xrefs: 020E2C02
e, xrefs: 020E41A4
!, xrefs: 020E4429
&, xrefs: 020E39AD
]ZN, xrefs: 020E451F
9, xrefs: 020E37EC
N, xrefs: 020E37F1
:, xrefs: 020E4479
v, xrefs: 020E33EF
T, xrefs: 020E4371
0, xrefs: 020E3591
$, xrefs: 020E39BD
w, xrefs: 020E3F81
E, xrefs: 020E3219
m, xrefs: 020E40E4
b, xrefs: 020E41AC
P, xrefs: 020E4391
6, xrefs: 020E35A1
., xrefs: 020E37E2
D, xrefs: 020E45D4
3, xrefs: 020E2D45
f, xrefs: 020E418C
L, xrefs: 020E37FB
0, xrefs: 020E3DB1
N, xrefs: 020E30BA
p, xrefs: 020E413C
D, xrefs: 020E3211
v, xrefs: 020E410C
]ZN, xrefs: 020E452F
~, xrefs: 020E414C
X, xrefs: 020E4351
@, xrefs: 020E4411
D, xrefs: 020E4855
D, xrefs: 020E43F1
M, xrefs: 020E3800
]ZN, xrefs: 020E4518
t, xrefs: 020E411C
p, xrefs: 020E3F86
F, xrefs: 020E43E1
$, xrefs: 020E3C0A
L, xrefs: 020E34F5
(, xrefs: 020E3FFC
w, xrefs: 020E37D8
:, xrefs: 020E3D73
J, xrefs: 020E43C1
R, xrefs: 020E4094
\, xrefs: 020E4331
8, xrefs: 020E3D7D
R, xrefs: 020E4381
Z, xrefs: 020E4341
!, xrefs: 020E4419
, xrefs: 020E399D
S, xrefs: 020E34F0
d, xrefs: 020E419C
hIb, xrefs: 020E3AE2, 020E4671, 020E4753, 020E47D1, 020E4902, 020E4968
", xrefs: 020E37F6
H, xrefs: 020E43D1
|, xrefs: 020E415C
1, xrefs: 020E3599
`, xrefs: 020E3A77
q, xrefs: 020E3F8B
W, xrefs: 020E3589
V, xrefs: 020E4361
z, xrefs: 020E416C
', xrefs: 020E2EAB
J, xrefs: 020E3805
", xrefs: 020E398D
$, xrefs: 020E3675
(, xrefs: 020E4164
y, xrefs: 020E4084
@, xrefs: 020E37E7
-, xrefs: 020E43B9
f, xrefs: 020E33CF
A, xrefs: 020E2DFC
q, xrefs: 020E34EB
<, xrefs: 020E3D69
T, xrefs: 020E339F
., xrefs: 020E3DC1
z, xrefs: 020E3221
B, xrefs: 020E37DD
x, xrefs: 020E417C
*, xrefs: 020E3FEC
', xrefs: 020E39B5
,, xrefs: 020E397D
+, xrefs: 020E366D
%, xrefs: 020E367D
r, xrefs: 020E412C
1, xrefs: 020E3DB9
L, xrefs: 020E43B1
^, xrefs: 020E4321
N, xrefs: 020E43A1
4, xrefs: 020E3D91
>, xrefs: 020E3D5F
6, xrefs: 020E3D87
a, xrefs: 020E33BF
B, xrefs: 020E4401
Q, xrefs: 020E2B88

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$hIb$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
API String ID: 0-622296361
Opcode ID: 25a80902b9933ed18a7334007feda52168da80d7d92116ce929127663f5e30fb
Instruction ID: 9434190c6659478f9eff5bc2a5d4fe68c2ea8e375fab4f28ac609110d50097b4
Opcode Fuzzy Hash: 25a80902b9933ed18a7334007feda52168da80d7d92116ce929127663f5e30fb
Instruction Fuzzy Hash: 7E03BE7050C7C08ED7259B3888983AFBFD1AB96314F088A6DD5EA873D2D7798485DB13

Function 0041DE90 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON

Download Yara Rule

Strings

', xrefs: 0041E138
G, xrefs: 0041E5C3
Q, xrefs: 0041E3A1
k, xrefs: 0041E60B
i, xrefs: 0041EBB4
(, xrefs: 0041E4E3
c, xrefs: 0041E423
w, xrefs: 0041E44B
L, xrefs: 0041E3C9
C, xrefs: 0041E3DD
Z, xrefs: 0041E3A6
<, xrefs: 0041E3BA
q, xrefs: 0041E3D8
J, xrefs: 0041E3E7
{, xrefs: 0041E4EB
L, xrefs: 0041E414
/, xrefs: 0041E533
U, xrefs: 0041E473
S, xrefs: 0041E48B
}, xrefs: 0041E110
t, xrefs: 0041E1FA
e, xrefs: 0041EBA0
k, xrefs: 0041E4BB
u, xrefs: 0041E42D
:, xrefs: 0041E483
p, xrefs: 0041E428
k, xrefs: 0041EBAA
p, xrefs: 0041E50B
?, xrefs: 0041E5DB
z, xrefs: 0041E450
y, xrefs: 0041E613
B, xrefs: 0041E3CE
>, xrefs: 0041E432
V, xrefs: 0041E39C
g, xrefs: 0041EBA5
c, xrefs: 0041E437
&, xrefs: 0041E1EA
(, xrefs: 0041E379
N, xrefs: 0041E400
H, xrefs: 0041E3E2
l, xrefs: 0041E0D8
{, xrefs: 0041EBAF
u, xrefs: 0041E455
d, xrefs: 0041EB9B
F, xrefs: 0041EB96
X, xrefs: 0041E120
?, xrefs: 0041E5FB
|, xrefs: 0041E158
t, xrefs: 0041E43C
7, xrefs: 0041E1DA
?, xrefs: 0041E3EC
~, xrefs: 0041E100
4, xrefs: 0041E464
4, xrefs: 0041E1E2
P, xrefs: 0041E388
S, xrefs: 0041E3C4
L, xrefs: 0041E603
g, xrefs: 0041E383
h, xrefs: 0041E446
D, xrefs: 0041E3FB
], xrefs: 0041E160
9, xrefs: 0041E5BB
b, xrefs: 0041E46E
?, xrefs: 0041E5F3
[, xrefs: 0041EB87
g, xrefs: 0041E543
E, xrefs: 0041EB91
d, xrefs: 0041E392
{, xrefs: 0041E52B
., xrefs: 0041E148
!, xrefs: 0041E4D3
h, xrefs: 0041E3AB
L, xrefs: 0041E45F
I, xrefs: 0041E573
q, xrefs: 0041F042
D, xrefs: 0041EB8C
G, xrefs: 0041F03A
[, xrefs: 0041E397
`, xrefs: 0041E53B
F, xrefs: 0041E61B
*, xrefs: 0041E140
L, xrefs: 0041E40F
C, xrefs: 0041E3D3
S, xrefs: 0041E3BF
v, xrefs: 0041E513
o, xrefs: 0041EBBE
Z, xrefs: 0041E3F6
c, xrefs: 0041E503
6, xrefs: 0041E5EB
|, xrefs: 0041E405
T, xrefs: 0041E38D
s, xrefs: 0041E108
i, xrefs: 0041EBB9
\, xrefs: 0041E128
x, xrefs: 0041E441
R, xrefs: 0041E40A
~, xrefs: 0041E45A
u, xrefs: 0041E118

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
API String ID: 0-1873956536
Opcode ID: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction ID: 931559f782a0dae5da6d3a2348cda9da3af0ea84656c223040a8e2c7efec153d
Opcode Fuzzy Hash: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction Fuzzy Hash: DAB28F3160C7C08BD325DA38C85439FBBD1ABD6324F184A6DE8E98B3C2D6799849C757

Function 020EE0F7 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON

Download Yara Rule

Strings

x, xrefs: 020EE6A8
4, xrefs: 020EE449
>, xrefs: 020EE699
Z, xrefs: 020EE65D
[, xrefs: 020EE5FE
S, xrefs: 020EE62B
~, xrefs: 020EE6C1
g, xrefs: 020EE7AA
{, xrefs: 020EE792
., xrefs: 020EE3AF
|, xrefs: 020EE66C
X, xrefs: 020EE387
S, xrefs: 020EE6F2
z, xrefs: 020EE6B7
Z, xrefs: 020EE60D
L, xrefs: 020EE630
{, xrefs: 020EE752
L, xrefs: 020EE676
t, xrefs: 020EE6A3
7, xrefs: 020EE441
9, xrefs: 020EE822
R, xrefs: 020EE671
c, xrefs: 020EE69E
:, xrefs: 020EE6EA
N, xrefs: 020EE667
{, xrefs: 020EEE16
d, xrefs: 020EE5F9
T, xrefs: 020EE5F4
?, xrefs: 020EE842
\, xrefs: 020EE38F
u, xrefs: 020EE694
g, xrefs: 020EEE0C
B, xrefs: 020EE635
p, xrefs: 020EE772
D, xrefs: 020EE662
[, xrefs: 020EEDEE
u, xrefs: 020EE37F
L, xrefs: 020EE67B
p, xrefs: 020EE68F
G, xrefs: 020EE82A
~, xrefs: 020EE367
4, xrefs: 020EE6CB
D, xrefs: 020EEDF3
k, xrefs: 020EEE11
&, xrefs: 020EE451
c, xrefs: 020EE76A
d, xrefs: 020EEE02
s, xrefs: 020EE36F
V, xrefs: 020EE603
L, xrefs: 020EE86A
], xrefs: 020EE3C7
(, xrefs: 020EE74A
i, xrefs: 020EEE1B
|, xrefs: 020EE3BF
}, xrefs: 020EE377
L, xrefs: 020EE6C6
Q, xrefs: 020EE608
q, xrefs: 020EF2A9
o, xrefs: 020EEE25
J, xrefs: 020EE64E
t, xrefs: 020EE461
H, xrefs: 020EE649
(, xrefs: 020EE5E0
c, xrefs: 020EE68A
G, xrefs: 020EF2A1
u, xrefs: 020EE6BC
P, xrefs: 020EE5EF
S, xrefs: 020EE626
F, xrefs: 020EE882
F, xrefs: 020EEDFD
h, xrefs: 020EE612
', xrefs: 020EE39F
U, xrefs: 020EE6DA
C, xrefs: 020EE63A
h, xrefs: 020EE6AD
I, xrefs: 020EE7DA
6, xrefs: 020EE852
E, xrefs: 020EEDF8
b, xrefs: 020EE6D5
?, xrefs: 020EE862
v, xrefs: 020EE77A
<, xrefs: 020EE621
?, xrefs: 020EE653
*, xrefs: 020EE3A7
w, xrefs: 020EE6B2
y, xrefs: 020EE87A
!, xrefs: 020EE73A
e, xrefs: 020EEE07
g, xrefs: 020EE5EA
`, xrefs: 020EE7A2
k, xrefs: 020EE872
k, xrefs: 020EE722
C, xrefs: 020EE644
l, xrefs: 020EE33F
q, xrefs: 020EE63F
?, xrefs: 020EE85A
/, xrefs: 020EE79A
i, xrefs: 020EEE20

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
API String ID: 0-1873956536
Opcode ID: 956e5634ba402c0b98be263ec24341df1d894c542c900cdbbef8950896477da6
Instruction ID: 026007d1c8abb9de85b2aa35797d646bad2fb288c1117b2a32b38352d3b5119f
Opcode Fuzzy Hash: 956e5634ba402c0b98be263ec24341df1d894c542c900cdbbef8950896477da6
Instruction Fuzzy Hash: F2B29C7160C3C18FD7258A38C85439EBBD2ABD6324F084A6DE4EA8B3C1D7799849D753

Function 0042621B Relevance: 35.0, Strings: 27, Instructions: 1202COMMON

Download Yara Rule

Strings

3416, xrefs: 004273A5
Z[, xrefs: 00426E5E
(]2_, xrefs: 00426A7B
2U/W, xrefs: 00426A91
bxB, xrefs: 00427850
nl, xrefs: 0042663C
Teg, xrefs: 00426ABD
Vt%t, xrefs: 00426E81
3416, xrefs: 004275C5
6fd, xrefs: 00426846
{HyN, xrefs: 004270B3
F;D, xrefs: 00426431
7J0H, xrefs: 00426452
zx, xrefs: 00426426
wDuJ, xrefs: 004270A8
zx, xrefs: 0042661B
s@qF, xrefs: 0042700F
Ta\c, xrefs: 00426AB2
'Y<[, xrefs: 00426A70
qVol, xrefs: 004272F5, 0042730C, 004273DA, 004273EA
jh, xrefs: 00426647
2{<u, xrefs: 00426E06
hIb, xrefs: 00426F44, 004277B0
7w, xrefs: 00426E11
SP, xrefs: 004270C9
N>_<, xrefs: 00426560
:vt, xrefs: 00426872

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: F;D$zx$'Y<[$(]2_$2U/W$2{<u$3416$3416$6fd$7J0H$7w$:vt$N>_<$SP$Ta\c$Teg$Vt%t$Z[$bxB$hIb$qVol$s@qF$wDuJ${HyN$jh$nl$zx
API String ID: 0-800298002
Opcode ID: 8baec23f4cf5547aa6b66ba67f19409ec75375b8b5232d2b2bf368be07f0dbf9
Instruction ID: 8ebcec6048e81b7414bf2c44ea1e9f7dace67e943cef4cf10300ed7be7304af5
Opcode Fuzzy Hash: 8baec23f4cf5547aa6b66ba67f19409ec75375b8b5232d2b2bf368be07f0dbf9
Instruction Fuzzy Hash: D1B273B160C3918BD334CF14D8417ABBBF2FB95304F44892DD4C99B252D7798A4ADB8A

Function 0043D0D0 Relevance: 30.7, APIs: 10, Strings: 7, Instructions: 957memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(80838290,00000000,00000001,?,00000000), ref: 0043D572
SysAllocString.OLEAUT32 ref: 0043D608
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D646
SysAllocString.OLEAUT32 ref: 0043D6A8
SysAllocString.OLEAUT32 ref: 0043D765
VariantInit.OLEAUT32(?), ref: 0043D7D6
SysFreeString.OLEAUT32(00000000), ref: 0043DB5D

Strings

[J, xrefs: 0043D21D
fF, xrefs: 0043D5D0
CfF, xrefs: 0043D600
{pqv, xrefs: 0043D120
tu, xrefs: 0043D5AC
[B, xrefs: 0043D225
yv, xrefs: 0043D813

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 2895375541-1972840126
Opcode ID: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
Instruction ID: dd13a90e2492ac68040bcad17eea3e7c9d23fbfdc89757e028f71a1dea91b727
Opcode Fuzzy Hash: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
Instruction Fuzzy Hash: 94621372A183108FE314CF68D88576BBBE1EFD5314F198A2DE4D58B390D7799809CB86

Function 00417222 Relevance: 27.4, APIs: 4, Strings: 11, Instructions: 1137COMMON

Download Yara Rule

Strings

ruA, xrefs: 0041755F
WH, xrefs: 00417D6E
hIb, xrefs: 00417302, 00417414
7, xrefs: 00417D7E
*, xrefs: 00418053
TW, xrefs: 00417D76
pA, xrefs: 004176B7
}&'$, xrefs: 00417BD7
>gVf, xrefs: 00417278, 004172A4
), xrefs: 0041747C
X2c0, xrefs: 00417775

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: pA$)$*$7$>gVf$TW$WH$X2c0$hIb$ruA$}&'$
API String ID: 0-3485970058
Opcode ID: dabf9aa3e7e5fe174b775746690a1083a504edae4419c7588f9727c61f8d6a43
Instruction ID: db295268db8bdf45a891635b6dee4b286def9570c954afad4e7b9bb962e3f9ad
Opcode Fuzzy Hash: dabf9aa3e7e5fe174b775746690a1083a504edae4419c7588f9727c61f8d6a43
Instruction Fuzzy Hash: 947211756483528BD324CF28C8917ABBBF1FF95314F18896DE4C58B3A1E7388945CB86

Function 0210D337 Relevance: 27.2, APIs: 8, Strings: 7, Instructions: 957memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(80838290,00000000,00000001,?,00000000), ref: 0210D7D9
SysAllocString.OLEAUT32 ref: 0210D86F
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0210D8AD
SysAllocString.OLEAUT32 ref: 0210D90F
SysAllocString.OLEAUT32 ref: 0210D9CC
VariantInit.OLEAUT32(?), ref: 0210DA3D
SysFreeString.OLEAUT32(00000000), ref: 0210DDC4

Strings

fF, xrefs: 0210D837
{pqv, xrefs: 0210D387
[B, xrefs: 0210D48C
CfF, xrefs: 0210D867
tu, xrefs: 0210D813
[J, xrefs: 0210D484
yv, xrefs: 0210DA7A

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 2895375541-1972840126
Opcode ID: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
Instruction ID: 2eae990534a00fbe987fed5415118b083f4821f285b2c52f9919823feb8cd508
Opcode Fuzzy Hash: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
Instruction Fuzzy Hash: 976213726583508FE324CF68D89176BBBE1EF85314F15892CE5D58B3D0D7B99809CB82

Function 0041618C Relevance: 16.0, Strings: 12, Instructions: 1044COMMON

Download Yara Rule

Strings

y~, xrefs: 00416283
pSlM, xrefs: 00416406
fjM, xrefs: 00416BB3
6, xrefs: 00416C5B
EnA, xrefs: 00416E3F
fjM, xrefs: 00416B0D
YjM, xrefs: 00416B56
hIb, xrefs: 004165CD, 0041662B, 00416685, 004166CF, 00416744, 0041682D, 004169FA, 00416A43, 00416D22, 00416D9B
YjM, xrefs: 00416BF6
yx, xrefs: 0041628E
6y, xrefs: 00416278
{, xrefs: 00416299

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 6$6y$EnA$YjM$YjM$fjM$fjM$hIb$pSlM$yx$y~${
API String ID: 0-3256640486
Opcode ID: a1124e7b959c4d90c87debad6fb5843825e897d0dbba3db4b302970a02bb1865
Instruction ID: a2001c8a8adb2b8dbf3dd01cda6d968c98786edfc2a21b29c8f54ffb17cc71b7
Opcode Fuzzy Hash: a1124e7b959c4d90c87debad6fb5843825e897d0dbba3db4b302970a02bb1865
Instruction Fuzzy Hash: 9762E3741083418FE724CF25C891BAB77E1FF86314F15496DE0D69B2A2D738D84ACB9A

Function 00411BDE Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON

Download Yara Rule

Strings

$, xrefs: 0041203F
t, xrefs: 00411C84
5, xrefs: 0041219B
&, xrefs: 00412044
A, xrefs: 00411FB9
J, xrefs: 00411BF1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: $$&$5$A$J$t
API String ID: 0-1619763526
Opcode ID: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction ID: a53242e4cf12c94eabb5fc35352f39a952aaa25ff7b8dface19663bb3d57fcdd
Opcode Fuzzy Hash: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction Fuzzy Hash: FB22B07160C7808BC7249B38C5943AFBBE1ABC5324F184A2EE9E9D73C1D77889458B47

Function 020E1E45 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON

Download Yara Rule

Strings

$, xrefs: 020E22A6
J, xrefs: 020E1E58
A, xrefs: 020E2220
&, xrefs: 020E22AB
5, xrefs: 020E2402
t, xrefs: 020E1EEB

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: $$&$5$A$J$t
API String ID: 0-1619763526
Opcode ID: 79d2da70b477ffa677f65aeaf4e6cacd56928a13efaa06ce3925f393d5a94fe9
Instruction ID: 6ca688dd44d40c9a57adec701ae7a58ac491560470d68ace7e35e20b19d19591
Opcode Fuzzy Hash: 79d2da70b477ffa677f65aeaf4e6cacd56928a13efaa06ce3925f393d5a94fe9
Instruction Fuzzy Hash: 7822917150D7808FCB249B38C4943AEBBE5AF95324F198A6DE8EA873C1D7748941DB43

Function 0042A7F0 Relevance: 11.1, APIs: 2, Strings: 4, Instructions: 573COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A8F7
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042A9CF

Strings

*, xrefs: 0042AA60, 0042AA93, 0042AB95
q, xrefs: 0042ADA6
hIb, xrefs: 0042AF20
*, xrefs: 0042AC00

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *$*$hIb$q
API String ID: 237503144-2036923828
Opcode ID: 8503be0273c585c30869208f1c9b1d0d655a2dc91da69c57cc7166c8ce56013e
Instruction ID: 6a2a75fc59155a11c5aec0aea031f7e0da65668b1aff7312ce30b4a80edc4f4b
Opcode Fuzzy Hash: 8503be0273c585c30869208f1c9b1d0d655a2dc91da69c57cc7166c8ce56013e
Instruction Fuzzy Hash: 130212B56083158FD724CF28D89135FB7E1FFC5308F05892DE9999B291DB78890ACB86

Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E17A

Strings

RYZ[, xrefs: 0040E52E
skidjazzyric.click, xrefs: 0040E631
c[i!, xrefs: 0040E2CB
Zb, xrefs: 0040E188
UGC9, xrefs: 0040E2E1
yD, xrefs: 0040E29A

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$skidjazzyric.click$yD
API String ID: 3861434553-3210723225
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 966cdb19ca8ac249a37a340b6d4c56d028db331cb6ce3dd003334f0be9ec8841
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: C3C1FF7150C3D08BDB348F2598687ABBBE1AFD2304F084D6DD8D95B286D678450A8B96

Function 020DE3D5 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 020DE3E1

Strings

Zb, xrefs: 020DE3EF
c[i!, xrefs: 020DE532
skidjazzyric.click, xrefs: 020DE898
yD, xrefs: 020DE501
UGC9, xrefs: 020DE548
RYZ[, xrefs: 020DE795

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$skidjazzyric.click$yD
API String ID: 3861434553-3210723225
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 50cb193d9fc6d2e9655c6f7c25522fe10b7489cf8eb4e7a7e9398a11a51f23a3
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: 55C1207150D3C08BDB35CF24C8687ABBBE1AFD2304F08496CD4D95B286D778450ACBA6

Function 00421B30 Relevance: 10.5, Strings: 8, Instructions: 527COMMON

Download Yara Rule

Strings

0, xrefs: 00421DF2
,, xrefs: 00422090
q, xrefs: 00422169
!@, xrefs: 00421B6A
6, xrefs: 00421E02
hIb, xrefs: 00421BEE, 00422040, 00422290
p, xrefs: 00422161
v, xrefs: 00422159

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$0$6$hIb$p$q$v
API String ID: 1279760036-1390072718
Opcode ID: dd519c3fc0e3cfcba68dda9bf8e7f9cc65e0c69498cac38047cedb9b411d5b27
Instruction ID: 8656d014051cfeae6f38fc6e5bc27d53fcdcc23dc9b32e8d9396b3c6709607b7
Opcode Fuzzy Hash: dd519c3fc0e3cfcba68dda9bf8e7f9cc65e0c69498cac38047cedb9b411d5b27
Instruction Fuzzy Hash: 0122DD7170C790CFD3248B28D58036BBBE1BB95324F558A2EE5E9873D1D7B988418B4B

Function 0040B280 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

ox}k, xrefs: 0040B695, 0040B6B2, 0040B550, 0040B5A4, 0040B739, 0040B742, 0040B6A6, 0040B76C, 0040B725
S;G%, xrefs: 0040B3DB
c[G, xrefs: 0040B2BB
UGEA, xrefs: 0040B292
)Ku, xrefs: 0040B43B
x[G, xrefs: 0040B350
SV, xrefs: 0040B66F
DM_e, xrefs: 0040B362, 0040B513

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction ID: 7fd46061e40033794bbc6c3ce90a1e611a10dbdcf815d020572bc93dee4dedaf
Opcode Fuzzy Hash: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction Fuzzy Hash: 55D1F57150C3408BD724CF29845476BFBE2EFD1708F18896DE4D56B385D77A890A8B8B

Function 020DB4E7 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

ox}k, xrefs: 020DB9A9, 020DB80B, 020DB98C, 020DB9A0, 020DB7B7, 020DB9D3, 020DB919, 020DB8FC, 020DB90D
UGEA, xrefs: 020DB4F9
S;G%, xrefs: 020DB642
x[G, xrefs: 020DB5B7
)Ku, xrefs: 020DB6A2
c[G, xrefs: 020DB522
SV, xrefs: 020DB8D6
DM_e, xrefs: 020DB5C9, 020DB77A

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
Instruction ID: e69a2cf43c390fbbdd4fc637564cc10970b8f30b14bd34f1d37b2c829c59f69d
Opcode Fuzzy Hash: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
Instruction Fuzzy Hash: 7AD1F27150D3808BD725CF29889436FFBE2AFC160CF1A892CE4E55B349D776850ADB86

Function 00409360 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

vu, xrefs: 004094D7
Y, xrefs: 004094DE
ID, xrefs: 004093E2
E, xrefs: 00409388
ADTD, xrefs: 00409428
eMOK, xrefs: 004093F0
|xzy, xrefs: 00409438
vxtq, xrefs: 00409440

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 68c016febbe7a0715404e25fe2d2c1f5bf377f828986e49a58439a2b7b357855
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: 7871E23158C3928AD3118F7AC4A076BFFE09FA2350F1C496DE4D45B392D37989099B9A

Function 020D95C7 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

|xzy, xrefs: 020D969F
Y, xrefs: 020D9745
vxtq, xrefs: 020D96A7
eMOK, xrefs: 020D9657
vu, xrefs: 020D973E
ID, xrefs: 020D9649
E, xrefs: 020D95EF
ADTD, xrefs: 020D968F

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 2d47eafb8935b0b06afe5a8eb744e6024973220de91ae1ccd98e88d5a6726077
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: 7171F23158D3D68AD3128F7AC4A076BFFE0AF92354F1C496CE4D48B291D3798109EB56

Function 00428B10 Relevance: 9.3, Strings: 7, Instructions: 513COMMON

Download Yara Rule

Strings

we`k, xrefs: 00429A2F
x}{z, xrefs: 00429A3F
hIb, xrefs: 00429B35
|A, xrefs: 00429544
Gt, xrefs: 0042953C
J[, xrefs: 0042954C
LUC_, xrefs: 00429A17

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: Gt$J[$LUC_$hIb$we`k$x}{z$|A
API String ID: 0-2831770949
Opcode ID: b79ab64f3184afededd566de8f00a9bd4cc29ef230942a73ea65cfefecf807bb
Instruction ID: f20c1733954f3d7476a331e7578cdc678171662c1333d6829e8b94656b24469a
Opcode Fuzzy Hash: b79ab64f3184afededd566de8f00a9bd4cc29ef230942a73ea65cfefecf807bb
Instruction Fuzzy Hash: 080200B5A08350CBD3209F25D84176BBBE2FFC6318F454A6DE5C85B390DB799805CB8A

Function 00409660 Relevance: 9.2, Strings: 7, Instructions: 448COMMON

Download Yara Rule

Strings

$i|3, xrefs: 00409811
?+9&, xrefs: 00409809
4?!;, xrefs: 004097F1
9;#&, xrefs: 00409801
6?34, xrefs: 004096B0
)--l, xrefs: 00409819
K, xrefs: 00409A9E

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
API String ID: 0-2829372548
Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction ID: 6807048b151084a9e8e11973f3dfbc4b5eda1ab4f65a555cc9214e5bb2479a1e
Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction Fuzzy Hash: 2DD1247120C7818BD729CF29C45036BBFE1AB97314F0889AED0D5DB382DA3D8909C756

Function 020D98C7 Relevance: 9.2, Strings: 7, Instructions: 448COMMON

Download Yara Rule

Strings

6?34, xrefs: 020D9917
9;#&, xrefs: 020D9A68
$i|3, xrefs: 020D9A78
4?!;, xrefs: 020D9A58
K, xrefs: 020D9D05
)--l, xrefs: 020D9A80
?+9&, xrefs: 020D9A70

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
API String ID: 0-2829372548
Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction ID: ad15e5f3c8523971224832524369f35918046c06d7a4f2213fdd8be3af315ae0
Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction Fuzzy Hash: BFD1F67160D7818BD72ACF29C85136BBFE1AF97218F0889ADD0D5DB282D739C50AC752

Function 00409B70 Relevance: 9.2, Strings: 7, Instructions: 418COMMON

Download Yara Rule

Strings

VW, xrefs: 00409F9D
EVA^, xrefs: 00409D89
]NGD, xrefs: 00409D94
~9, xrefs: 00409F05
b, xrefs: 00409E73
yD, xrefs: 00409CEB
UJVM, xrefs: 00409D7E

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: EVA^$UJVM$VW$]NGD$b$~9$yD
API String ID: 0-481252236
Opcode ID: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction ID: ffcda9fbc27d5fd1cec50cde84d534a082da3ff5d4e5b8e77816747385cb8e1d
Opcode Fuzzy Hash: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction Fuzzy Hash: 82E1D1715083808BD724CF24C8947ABBBE2FFD5308F08892DE4D99B392DB798509CB56

Function 00437A60 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437A74
GetClipboardData.USER32 ref: 00437A8F
GlobalLock.KERNEL32 ref: 00437AAE
GlobalUnlock.KERNEL32 ref: 00437BE6
CloseClipboard.USER32 ref: 00437BF1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction ID: cc871ad810d5ebcc8503e7b8c4c024891cf7c86b0654bd3a3462fcbae073f9f9
Opcode Fuzzy Hash: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction Fuzzy Hash: 0B41ABB010C7818FE310EF78944936FBFE0AB96308F09496EE4C586282D67C858DD7A7

Function 0043C6C0 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

>, xrefs: 0043CA51
A, xrefs: 0043C996
j, xrefs: 0043CA56
f, xrefs: 0043CA5B
g, xrefs: 0043C9A0
O, xrefs: 0043C99B
q, xrefs: 0043C991

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: >$A$O$f$g$j$q
API String ID: 0-654885204
Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction ID: 933c444832a5593444b97503960d5bfec1f1b34db4cd747dab4759e8adc9f3c2
Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction Fuzzy Hash: DAD1F633A0C7D04AD324853C889535BAEC25BE6324F1D8B7EE9F5973C6D66D88068357

Function 0210C927 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

g, xrefs: 0210CC07
A, xrefs: 0210CBFD
f, xrefs: 0210CCC2
j, xrefs: 0210CCBD
O, xrefs: 0210CC02
>, xrefs: 0210CCB8
q, xrefs: 0210CBF8

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: >$A$O$f$g$j$q
API String ID: 0-654885204
Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction ID: 6a3ccfdc4574ed0c87dda4a16244bcc175badb93784f6643fdb64b2c69c26fed
Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction Fuzzy Hash: DFD10733A4C7D04BD328853C889535BAED25BD2224F1D8B7EE9F5873C6D7A988058793

Function 00419B30 Relevance: 7.9, APIs: 2, Strings: 2, Instructions: 947COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419FF7
FreeLibrary.KERNEL32(?), ref: 0041A039

Part of subcall function 00442080: LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE

Strings

hIb, xrefs: 00419B55, 00419BF7, 00419C50, 00419D41, 00419F6C, 00419FA6, 0041A010, 0041A04E, 0041A0D4, 0041A174, 0041A22E, 0041A28D, 0041A329, 0041A3D2, 0041A4F9, 0041A67D, 0041A6FD
mj, xrefs: 00419F08

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: hIb$mj
API String ID: 764372645-3554237108
Opcode ID: 2255e6a627f017e2ff8213536ec5aa708fa154555d2009938c782d16a4e298aa
Instruction ID: e4b45be28fd4c7cbff433e2c06fe463db16693d42f5f124cafcdabba2620905a
Opcode Fuzzy Hash: 2255e6a627f017e2ff8213536ec5aa708fa154555d2009938c782d16a4e298aa
Instruction Fuzzy Hash: D76223746093009FE724CF25CC507ABBBE2BB85318F24861EE594573A1E7399C96CB4B

Function 004042C0 Relevance: 6.7, Strings: 5, Instructions: 465COMMON

Download Yara Rule

Strings

IEND, xrefs: 0040479F
), xrefs: 0040433D
IHDR, xrefs: 004046BC
), xrefs: 00404347
IDAT, xrefs: 0040472B

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
Instruction ID: 828f2798e7534a509cb653a25c5a447f63e0741c52f375536a6b9b324fae408e
Opcode Fuzzy Hash: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
Instruction Fuzzy Hash: 5E02E3B46043808FD700DF29D89075ABBE1EBD6304F05897EEA859B3D1D379D909CB96

Function 020D4527 Relevance: 6.7, Strings: 5, Instructions: 465COMMON

Download Yara Rule

Strings

IDAT, xrefs: 020D4992
), xrefs: 020D45AE
), xrefs: 020D45A4
IHDR, xrefs: 020D4923
IEND, xrefs: 020D4A06

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 6dda164276c19b2348408bf08e15d5684114f8bdc5157cb020ecd11399e8153b
Instruction ID: fdab27426499ff26be581f546ebbbecce608b35ac23dd84171cf6d414da3c743
Opcode Fuzzy Hash: 6dda164276c19b2348408bf08e15d5684114f8bdc5157cb020ecd11399e8153b
Instruction Fuzzy Hash: 6E0203B460A3808FD710CF29D89076ABBE1FF96304F05856DF9858B391D376E909DB92

Function 00427FC0 Relevance: 6.7, Strings: 5, Instructions: 431COMMON

Download Yara Rule

Strings

up, xrefs: 00428157
hIb, xrefs: 0042850D, 004285A0
#C}, xrefs: 00428438
vC, xrefs: 00428162
@-, xrefs: 0042814C

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: #C}$@-$hIb$up$vC
API String ID: 0-2493136435
Opcode ID: a40ab0c35494f53a3c3efd8fe30aa2786e8bf91813ef6e2f1cb74b29b3e8c936
Instruction ID: 145fb0a50be3e303ead08e2671ce65b3aa3df702a645c1f6ac8533401e1fa356
Opcode Fuzzy Hash: a40ab0c35494f53a3c3efd8fe30aa2786e8bf91813ef6e2f1cb74b29b3e8c936
Instruction Fuzzy Hash: 9FE1EBB5209340DFE324DF25E88076FBBE1FB86304F54882EE5898B251DB35D945CB9A

Function 020DC2E7 Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

Js, xrefs: 020DC328
'!, xrefs: 020DC380
FwPq, xrefs: 020DC320
50, xrefs: 020DC414
DM_e, xrefs: 020DC2EA

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: 78c3dab6ffe4f3d6d08021daa9abf500a7cad071fcc8ef9c4498ca686b9783ab
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: F551DAB45493808FE338CF25C991B8BBBB1BBA1304F609A0CE6D95B254CB759446CF97

Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425743

Strings

67, xrefs: 00425B0C

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: 819374343b18a50f3a79c1e36e6470eb4b163bff6ae0bbb91eeeb04a884fad02
Instruction ID: 69054aec17b57e4c885244c43c85c7a2a523591f4f2f134b8c84ae4bc1ca1ac0
Opcode Fuzzy Hash: 819374343b18a50f3a79c1e36e6470eb4b163bff6ae0bbb91eeeb04a884fad02
Instruction Fuzzy Hash: 6EB1A9B4508710CBD7109F54E88176BBBE0FF86708F44496EE9849B391E7B9C949CB8B

Function 00440B00 Relevance: 5.6, Strings: 4, Instructions: 555COMMON

Download Yara Rule

Strings

S"(w, xrefs: 00440E4F
hIb, xrefs: 00440BE9, 00440D24, 00440DD5, 00440E49, 00440EC8, 004411E8
S"(w, xrefs: 00440BF0
f, xrefs: 00440DAA

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f$hIb
API String ID: 2994545307-2004069955
Opcode ID: 5357dd88d6c9d175448b55fcb449adf8c18e24cc533159dda654de1542b3fb91
Instruction ID: 3cfac3c3f928c660201977811b78d3d3052ee887d4b0c26ff85acd92e20ac89e
Opcode Fuzzy Hash: 5357dd88d6c9d175448b55fcb449adf8c18e24cc533159dda654de1542b3fb91
Instruction Fuzzy Hash: B412E1756083508FE324CF19C880B2BBBE1BBC9314F148A6EE9D45B3A1D775AC45CB96

Function 00425DA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00425E98
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00425F24

Strings

23, xrefs: 00425E1F

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 23
API String ID: 237503144-326707096
Opcode ID: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction ID: b6730ddf130f4e2a19c05504fd255247e3d11648143caf2c2a016be5e81be571
Opcode Fuzzy Hash: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction Fuzzy Hash: 7B7112B1A043189FEB20CFA8D841BEEBBB1FB45304F10843DE905AB2C5D775590ACB89

Function 00429917 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction ID: a5821a17d697f7f316c5e23e8fd2eb7e472b5f5b3478a77b5a5598d7e69c89e3
Opcode Fuzzy Hash: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction Fuzzy Hash: 6D61F0B66083408BD724DF29E88175FB7E1EBC9304F18493DE58997281DB35D905CB8A

Function 00429B7B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction ID: 7ba92da05bbbaddbc1e3305b36c9b0db2ded0e94f959a81563e8173db3a816b3
Opcode Fuzzy Hash: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction Fuzzy Hash: A961FEB66083408FD724DF25D88176FBBE2EBC9304F19493DE5898B281DB75C805CB8A

Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00437C52
GetSystemMetrics.USER32 ref: 00437C62

Strings

, xrefs: 00437D4F

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction ID: 45907af0f9aaa3a0b9b12b1f6695193350465b50a920b4478e3ecda7c38bd9fb
Opcode Fuzzy Hash: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction Fuzzy Hash: 23C15BB05093808BE7B0DF64D99979BFBF1BB85308F10992EE5984B354C7B89449CF4A

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

fnga, xrefs: 00418BBC
bd\,, xrefs: 00418BB1
oQ, xrefs: 00418BD2
PWPQ, xrefs: 00418BC7

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: PWPQ$bd\,$fnga$oQ
API String ID: 0-3706350231
Opcode ID: f6cb8ff38777955036e78421dc32e0d0bf9476c58b0cc1ec37cf5569dcbf4c64
Instruction ID: e34152e6636813154928bb160b9fd2834c9c91dba41fdab838839377217cf8bd
Opcode Fuzzy Hash: f6cb8ff38777955036e78421dc32e0d0bf9476c58b0cc1ec37cf5569dcbf4c64
Instruction Fuzzy Hash: 1CC126766083408FD7258F24C8557AB77E6EFC6314F08892EE8998B391EF388841C787

Function 0041906A Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

J, xrefs: 004194C6
67, xrefs: 00419200
wq, xrefs: 00419150
u, xrefs: 004193AF

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 67$J$u$wq
API String ID: 0-4028943437
Opcode ID: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction ID: 45cabc22797d8237a69fda20461bdfe49cb428b8aed426b658ce7b40843b0e88
Opcode Fuzzy Hash: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction Fuzzy Hash: 2AB176B04483828BD7348F25C4A17EBBBE1EF92314F14892DD8D94B785E7794886CB87

Function 00428750 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

hIb, xrefs: 004287C8, 004288FA
/X, xrefs: 00428A82
BDE:, xrefs: 004287C2, 004287F2
&76#, xrefs: 00428A72

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: InitializeThunk
String ID: &76#$/X$BDE:$hIb
API String ID: 2994545307-1576380528
Opcode ID: 398f735e3972e1031948fe2bba99ae7fdb72fc8d043efc994e95164fad8c0836
Instruction ID: de511f14106650819994a34559177bbffe3ae858db635c904efe7b47fdd347f8
Opcode Fuzzy Hash: 398f735e3972e1031948fe2bba99ae7fdb72fc8d043efc994e95164fad8c0836
Instruction Fuzzy Hash: 4C9146B27093119BD3109F25EC8176FB6D2EBC5318F58813EE4858B381EA3C9846878B

Function 020F89B7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

hIb, xrefs: 020F8A2F, 020F8B61
BDE:, xrefs: 020F8A29, 020F8A59
/X, xrefs: 020F8CE9
&76#, xrefs: 020F8CD9

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: &76#$/X$BDE:$hIb
API String ID: 0-1576380528
Opcode ID: 3e21cf73c2ae3528f4817cde07a7e232aa130a7225a0a67fc89e53a2e6491216
Instruction ID: 35865cd19bc49bd4fc08997ac688a36077a4d67dc4114896353cd23eb2862170
Opcode Fuzzy Hash: 3e21cf73c2ae3528f4817cde07a7e232aa130a7225a0a67fc89e53a2e6491216
Instruction Fuzzy Hash: 899134B26893018BD354DF25CC917ABB6E2EFC5314F18C53CEA858B690E7399806D786

Function 004437D0 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction ID: fc75cb93acbb787b45c4a477a4821f2fed63727632898f6dbcded6a89fb42fc6
Opcode Fuzzy Hash: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction Fuzzy Hash: 8E22FE3AA08310CFD314DF29E89072BB7E2FB8A315F4A887DD58987361E674D941CB85

Function 004438E0 Relevance: 4.3, Strings: 3, Instructions: 577COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction ID: 5b6f0a5fe011b24c48fd64f61fb35041aa1557f3f4dce62c9b8353607a503f3b
Opcode Fuzzy Hash: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction Fuzzy Hash: 5402DD39A08310CFE314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 004438FB Relevance: 4.3, Strings: 3, Instructions: 566COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction ID: 0ffe7b29edef83b041ea382641fdc4149dbc112461c51243b49d827887b3597f
Opcode Fuzzy Hash: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction Fuzzy Hash: 2202DD3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A2D675D945CB85

Function 004438F9 Relevance: 4.3, Strings: 3, Instructions: 565COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction ID: 86640fba6bac160b05b0c43110ab63d66e8f7ec2f5acf9dcdae8f0d28c6b6e57
Opcode Fuzzy Hash: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction Fuzzy Hash: 8002ED3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 00443A30 Relevance: 4.2, Strings: 3, Instructions: 488COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction ID: 631fa3f1d4c0726364ceec28ad2e892877ef6bcbce7aa5fcc49a4e7daf9cf800
Opcode Fuzzy Hash: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction Fuzzy Hash: DAE1FE39B09321CFD304DF29D89072AB7E2FB9A311F4A887DD589873A2D634D941CB85

Function 00422370 Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

anold~m`, xrefs: 004224DA
-jkhanold~m`, xrefs: 004224CE
d~m`, xrefs: 004224B5

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction ID: c4d8edb6bc4b196318c262ba746bf01715a487006edf2819d48878c0ea44a364
Opcode Fuzzy Hash: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction Fuzzy Hash: C8D1BBB06083509FD710DF68D892B6BBBE0FF85318F54491DE8958B392E7B8D809CB56

Function 020F25D7 Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

-jkhanold~m`, xrefs: 020F2735
d~m`, xrefs: 020F271C
anold~m`, xrefs: 020F2741

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
Instruction ID: 1d138b33dec07fe6041b449bc1c071e95449d886ca35cdb8be2c291e62352acf
Opcode Fuzzy Hash: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
Instruction Fuzzy Hash: 37D1ADB06483808FD754DF68C891B6BBBE0FF85318F14491CEA958B791E7B9D809CB52

Function 00422880 Relevance: 4.2, Strings: 3, Instructions: 455COMMON

Download Yara Rule

Strings

!', xrefs: 0042289A
hIb, xrefs: 00422D01
27, xrefs: 00422934

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: !'$27$hIb
API String ID: 0-1962406828
Opcode ID: 4e2b28aa3dff421b264bd62975b50a1b6ea877285231c709edd8e2387c1d3cbc
Instruction ID: 5153aecd17f80642fd8c0eece016e91168ea77982d201b76830abc39117f0e9e
Opcode Fuzzy Hash: 4e2b28aa3dff421b264bd62975b50a1b6ea877285231c709edd8e2387c1d3cbc
Instruction Fuzzy Hash: F5C156B57083109BD7149F29DD9276BB7E1EF81314F88852EE8C58B391E6BCD904C35A

Function 020F2AE7 Relevance: 4.2, Strings: 3, Instructions: 455COMMON

Download Yara Rule

Strings

hIb, xrefs: 020F2F68
!', xrefs: 020F2B01
27, xrefs: 020F2B9B

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: !'$27$hIb
API String ID: 0-1962406828
Opcode ID: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
Instruction ID: 53533c2baab899c4d17a4beccc033a1570f54ebb84713c6ee788f96350ac1bbe
Opcode Fuzzy Hash: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
Instruction Fuzzy Hash: 58C124B16483008FD755DF28CC9276BB7E2EF81324F19892CEE858B690E379D905D752

Function 00443AC0 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

M;D, xrefs: 00443AF2
UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction ID: ab5f315b9e91ee1687aa44fd25e1738b775e8891b6341d15c5394949b1c7dc9f
Opcode Fuzzy Hash: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction Fuzzy Hash: 53D1FF3AA08310CFD314DF29D89072AB7E2FBDA310F4A897DE58987392D674D941CB85

Function 00421180 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

567, xrefs: 004216A5
<`>f, xrefs: 00421337
8deZ, xrefs: 00421342

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 8deZ$<`>f$567
API String ID: 0-937435233
Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction ID: 754c1abd1b676f1653a7a5478e22f099d0a2726f3b1f9a9f143ecbe85e8fc021
Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction Fuzzy Hash: 99D1FFB06083208BD720DF24C851B6BB7F2FFE1354F498A6DE4858B3A5E3799845C756

Function 020F13E7 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

567, xrefs: 020F190C
8deZ, xrefs: 020F15A9
<`>f, xrefs: 020F159E

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 8deZ$<`>f$567
API String ID: 0-937435233
Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction ID: 2e92c89d5ef41b2e5fc625831bfac0b91aac8918c76bab75dfa140e070565670
Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction Fuzzy Hash: 2ED1DDB06483008BD760DF24C861BABF7F2EFC2318F098A1CE5898B795E7799405DB56

Function 00429F7C Relevance: 4.2, Strings: 3, Instructions: 421COMMON

Download Yara Rule

Strings

rYaT, xrefs: 00429FE8
hIb, xrefs: 0042A752
ji46, xrefs: 00429FA4

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: hIb$ji46$rYaT
API String ID: 0-3059523647
Opcode ID: 99b7879304e7a609f3c2f37bd056f0237a2b1b02470ad15b96e9471bda6789de
Instruction ID: dcd566aaca25f8eff7100027eceeae2756314058decd7535bc98b9674378a6ea
Opcode Fuzzy Hash: 99b7879304e7a609f3c2f37bd056f0237a2b1b02470ad15b96e9471bda6789de
Instruction Fuzzy Hash: 1BE1F132A08351CFD314CF29D88035AB7E2FFCA324F698A6DE995572A1D734DC158B86

Function 0042F716 Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

5, xrefs: 0042FC83
bC, xrefs: 0042FD1D
Tx+, xrefs: 0042FD77

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction ID: 57781aab13a08c1a066b8e14d20b5adcd793598ba32206fb76d556f76c65c1e4
Opcode Fuzzy Hash: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction Fuzzy Hash: 66B1C17050C3918AE7358F2990643ABFFE0AF93304F98496ED5C987392D7794409CB56

Function 020FF97D Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

bC, xrefs: 020FFF84
5, xrefs: 020FFEEA
Tx+, xrefs: 020FFFDE

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: 878d8cd2ffcbb237619de5602d15ed4e3526d5757278a69bfb0ca6ece5a1916c
Instruction ID: 181f43818fdac62acdd6dd2ba623873f8c42776f3cb24030b306d8a37df0b758
Opcode Fuzzy Hash: 878d8cd2ffcbb237619de5602d15ed4e3526d5757278a69bfb0ca6ece5a1916c
Instruction Fuzzy Hash: A5B1C27050C3C18AE779CF2984A47ABFFE0AF97304F18896DE1D987692D77A8405CB52

Function 0042FB7D Relevance: 4.1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

Strings

5, xrefs: 0042FC83
bC, xrefs: 0042FD1D
Tx+, xrefs: 0042FD77

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction ID: c6dbd191573f8eaa778921652fb4887c0da57f4868ba9d7cab245032b22be67a
Opcode Fuzzy Hash: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction Fuzzy Hash: D0A1C17050C3918AE739CF2994603EBBFE0AF96304F58897ED5C987392D7794409CB56

Function 0043099F Relevance: 4.0, Strings: 3, Instructions: 251COMMON

Download Yara Rule

Strings

.^Nw, xrefs: 00430C54
QRP,, xrefs: 00430C49
ut, xrefs: 00430B4D

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: ut$.^Nw$QRP,
API String ID: 0-2489489831
Opcode ID: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction ID: c8479f28a28c815cfbd9d5fc95f9476b123213feaa6e9ea5c0c948cebaf48d73
Opcode Fuzzy Hash: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction Fuzzy Hash: 3B710A7110D3918FD3258B2588B03E7BBD19FDB704F585A5DD0CA4B341DB794906CB56

Function 00415DD8 Relevance: 4.0, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

7, xrefs: 00415F1F
hIb, xrefs: 0041603B
gfff, xrefs: 00415F4F

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 7$gfff$hIb
API String ID: 0-2814167686
Opcode ID: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
Instruction ID: 4941e5eadb7aba571cda7473ebd939308df881bd2ae5f083bfc9904c5215119c
Opcode Fuzzy Hash: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
Instruction Fuzzy Hash: 7061F572A446118FE714CF29DC017ABB7E2EBC5314F09C62EE485DB392EB3898458B85

Function 020E603F Relevance: 4.0, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

gfff, xrefs: 020E61B6
7, xrefs: 020E6186
hIb, xrefs: 020E62A2

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff$hIb
API String ID: 0-2814167686
Opcode ID: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
Instruction ID: 81d0b939fd41660ade4b891eeb669717ea94ce73fa4032d30b1c2f26a23c0160
Opcode Fuzzy Hash: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
Instruction Fuzzy Hash: AD6102B26043518FEB29CF29DC01B6BB7E6EBD5314F08C62DD486CB291E73994468B81

Function 0040F2D0 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

:, xrefs: 0040F2F5
K, xrefs: 0040F38E
, xrefs: 0040F44B

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: $:$K
API String ID: 0-296352136
Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction ID: e3fd2fc2a8267f717fe0e7e766dd9ea259cde5192962e3fe240e8cbdfa04c585
Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction Fuzzy Hash: 3A51A27250C7908AD7209B3884543AFBBD0AB96334F190F7EE8EAE73C1E67885458757

Function 020DF537 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

, xrefs: 020DF6B2
K, xrefs: 020DF5F5
:, xrefs: 020DF55C

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: $:$K
API String ID: 0-296352136
Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction ID: 8c539072e5839fad659bd8581f696cd2d0084ef9152fb96104e957535c58215d
Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction Fuzzy Hash: 4D51F37650D7908FD7209B3884183AFBBD0AB85324F094F6DE9EAC37C2E6748641DB52

Function 020F829E Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

vC, xrefs: 020F83C9
@-, xrefs: 020F83B3
up, xrefs: 020F83BE

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: @-$up$vC
API String ID: 0-1828384444
Opcode ID: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
Instruction ID: f8445143057d41332cb4f4693dfb1463bfc2ef7e5c013aa0dbab50882746cf87
Opcode Fuzzy Hash: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
Instruction Fuzzy Hash: BD412EB02497819FE3248FA1D894B9BBBE2BBC6344F148A2DE1D84B351D7788449CF57

Function 020D092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 020D095F
l, xrefs: 020D0966
GetProcAddress., xrefs: 020D09DC, 020D09DF, 020D09E4

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 53283dc0ea8b9753e02823edcb7fe2a1094e51661d39e6b2af5500e8c5ba7764
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DD3135B6901709DFDB11CF99C880AAEFBFAFB48324F14404AD845A7210D7B1AA45CBA4

Function 020E7950 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,-000000D5,00000000,00000000,?), ref: 020E7C78

Strings

X2c0, xrefs: 020E79DC

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: X2c0
API String ID: 237503144-1612431719
Opcode ID: 699e62a66c8bd060c75555ea85a6e323f78b4898e6ba044fdc3f12d6ed4cc69d
Instruction ID: d46ba6d734fe0640ac61c08d2a624e407c43fedbf7609cce5a1bf5928ec13e4a
Opcode Fuzzy Hash: 699e62a66c8bd060c75555ea85a6e323f78b4898e6ba044fdc3f12d6ed4cc69d
Instruction Fuzzy Hash: E8A1E0329083228BC724CF28C8903ABF7E1FFD4754F19891DE9C69B261E7748985D786

Function 00404E20 Relevance: 3.3, Strings: 2, Instructions: 793COMMON

Download Yara Rule

Strings

8, xrefs: 00405733
0, xrefs: 0040573B

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: e280355c8490aa10aa3c163a08f8bf67b3f263ce4a05db4f23ebfe07fe01392e
Instruction ID: ac1135438154d332a2dd7d7de386343b2aa589ad343a5ce191fd082a98776d93
Opcode Fuzzy Hash: e280355c8490aa10aa3c163a08f8bf67b3f263ce4a05db4f23ebfe07fe01392e
Instruction Fuzzy Hash: 4C721171508740AFD710CF18C884BABBBE1EB88314F44892EF9999B391D379D958CF96

Function 020D5087 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 020D599A
0, xrefs: 020D59A2

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction ID: 82850e1836791d8fb2ea12cad238263ac0ab79c94800629b67b53de09e1212d1
Opcode Fuzzy Hash: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction Fuzzy Hash: CF7244712093409FD765CF18C880BAEBBE1BF88318F44892DF8998B391D375D958DB92

Function 0041F9A0 Relevance: 3.3, Strings: 2, Instructions: 771COMMON

Download Yara Rule

Strings

nB, xrefs: 004203B8
/B, xrefs: 00420402

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: /B$nB
API String ID: 0-3787476056
Opcode ID: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction ID: 01d0190d3bb0ccc58f1444bdf38ba46b89cc646c5dd88bcfe1081667cb01010c
Opcode Fuzzy Hash: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction Fuzzy Hash: 3E7270B0509B808FD3658F3C8855797BFD5AB5A324F148A5EE0FE873D2C77960018B6A

Function 0042AF92 Relevance: 3.2, Strings: 2, Instructions: 719COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6
hIb, xrefs: 0042AF20

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: hIb$q
API String ID: 0-2144787547
Opcode ID: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction ID: d2894ee3cd08ac16c3749e12b5b110520c9353356bc4cfd2bf9c021bc54d189f
Opcode Fuzzy Hash: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction Fuzzy Hash: B522F1B4608311CBD714CF64D8A176BB7F1FF96318F48896DE8854B391E7788906CB8A

Function 0042BA20 Relevance: 3.1, APIs: 2, Instructions: 146COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042BB95
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042BC1E

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction ID: 88c8716360a9849faea0ff28cefb8e51f229f873179c28473aebd70c66339d06
Opcode Fuzzy Hash: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction Fuzzy Hash: 28513672519350CFE324CF76DC8075BBBA2FBC2304F16862DE5951B290CBB984068B86

Function 004239EB Relevance: 3.0, Strings: 2, Instructions: 458COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 00424034
yD, xrefs: 00423BFC

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: skidjazzyric.click$yD
API String ID: 0-557974968
Opcode ID: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction ID: ea6ce95d3b2e4101921536522c50bf2979d69fc2778ed717b5a7399473229c95
Opcode Fuzzy Hash: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction Fuzzy Hash: BF322951608BD28DD326CB7C8848355BF912B27228F1C87DDD1E94F3D3D2AA8587C7A6

Function 00443B60 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: >D$UUK
API String ID: 0-1347512165
Opcode ID: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction ID: 5ece47969d2e4495fd744cec34393a228d2be6badad345384a3b8f4f4ab2efe2
Opcode Fuzzy Hash: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction Fuzzy Hash: 86D1EE35A08310CFD314DF29D89072BB7E2BBDA300F4A897DE98997392D675D941CB86

Function 0043DF60 Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

hIb, xrefs: 0043DFB3, 0043E112, 0043E191, 0043E300
NP,?, xrefs: 0043E1A0

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: NP,?$hIb
API String ID: 0-3261881042
Opcode ID: e0f0cde32fc97504d7e3b33cf41fdd076231a41b29b49f8870996e12f9a455c3
Instruction ID: 1f4fb5fde5d3a5e7269753d163d491fe37fce05cbc84d157e3c3b696b68cf536
Opcode Fuzzy Hash: e0f0cde32fc97504d7e3b33cf41fdd076231a41b29b49f8870996e12f9a455c3
Instruction Fuzzy Hash: 4CA148316052009BD714CF16CC81B6BB3A6FBC9314F14962DE9A5573C1D779AC06CB9A

Function 0210E1C7 Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

hIb, xrefs: 0210E21A, 0210E379, 0210E3F8, 0210E567
NP,?, xrefs: 0210E407

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?$hIb
API String ID: 0-3261881042
Opcode ID: 1d2be2e89745f1705865aa58f38ac347d87ec7cac21ab51014cd6f937c8c9e72
Instruction ID: c03acc7c3870969b3301cd803592142870af081548ea2d7c57bd39d28d29c070
Opcode Fuzzy Hash: 1d2be2e89745f1705865aa58f38ac347d87ec7cac21ab51014cd6f937c8c9e72
Instruction Fuzzy Hash: A5A106756842009FD718CF16CCC0B6FB7A6FB85318F148A2DE9A9572D1E7B1E805CB91

Function 004195B6 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

=, xrefs: 004197CC
^\, xrefs: 004198D8

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction ID: 449fbb577030d5845b3ff3c78ea8df1dbbecff39a5bc4c3e86ed8d0a83d476b4
Opcode Fuzzy Hash: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction Fuzzy Hash: 20B1E6B56483428BD328DF25C8A07ABBBE1EFD5315F08892DE4D58B381E77C8845C796

Function 020E981D Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

=, xrefs: 020E9A33
^\, xrefs: 020E9B3F

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
Instruction ID: 654ce685d1de04c166fba28492aced4140c285b3659d0307d14ebb6f0ec0fa1e
Opcode Fuzzy Hash: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
Instruction Fuzzy Hash: E0B1E4756083818FC729DF24C890BABBBE2EFC5315F08892CD4D68B781E7788845DB56

Function 00444C20 Relevance: 2.8, Strings: 2, Instructions: 312COMMON

Download Yara Rule

Strings

hIb, xrefs: 00444D6E, 00444E96
Y\]R, xrefs: 00444E24

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: InitializeThunk
String ID: Y\]R$hIb
API String ID: 2994545307-3530450188
Opcode ID: dfa53b0615ceaa2e98ff51c75bbc0347d69164a09dba18ea244a5081b1c32003
Instruction ID: 32cb53c941d059e59dbce30d87d00b37379897002de2ab33e1c58f8979392959
Opcode Fuzzy Hash: dfa53b0615ceaa2e98ff51c75bbc0347d69164a09dba18ea244a5081b1c32003
Instruction Fuzzy Hash: 6E910371A087118BE314CF29D89076BF7E2FBC5314F18862DE89597391DB79DC0A8786

Function 02114E87 Relevance: 2.8, Strings: 2, Instructions: 312COMMON

Download Yara Rule

Strings

Y\]R, xrefs: 0211508B
hIb, xrefs: 02114FD5, 021150FD

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: Y\]R$hIb
API String ID: 0-3530450188
Opcode ID: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
Instruction ID: 45aa47c4bc4aa4c909a7fd377fec4b7a62b01e86429b04a91fd5a179afc84bef
Opcode Fuzzy Hash: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
Instruction Fuzzy Hash: C691E1716483119BD319DF28D88076BB7E3EBC5314F188A3CE89997390DB759909CB82

Function 0043B410 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

hIb, xrefs: 0043B74A
<, xrefs: 0043B58B

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: <$hIb
API String ID: 0-1231090771
Opcode ID: eb7dcbf6f930f490dd2752fe1db9af74e8ea13f28aef30d47d39e65f19be287c
Instruction ID: 298ed6161c937c0e6968453eb829229e96a7e3621a1d6b118fdfa9d8e411f9a2
Opcode Fuzzy Hash: eb7dcbf6f930f490dd2752fe1db9af74e8ea13f28aef30d47d39e65f19be287c
Instruction Fuzzy Hash: 78D1B0216087C28ED726CB3C8844359BF91AB67224F0983D9D0E95F3D3C3698986C7E6

Function 0210B677 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

<, xrefs: 0210B7F2
hIb, xrefs: 0210B9B1

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: <$hIb
API String ID: 0-1231090771
Opcode ID: eb7dcbf6f930f490dd2752fe1db9af74e8ea13f28aef30d47d39e65f19be287c
Instruction ID: 9c1def52769affdccafe296ce1abed65a2e9941fced4b89835703a828f9d9830
Opcode Fuzzy Hash: eb7dcbf6f930f490dd2752fe1db9af74e8ea13f28aef30d47d39e65f19be287c
Instruction Fuzzy Hash: EDD1BF21A087D28ED726CB3CC844359BF916B67224F0D83D8D4E95F3D3C3A59986C7A6

Function 0042F1C1 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

6, xrefs: 00430397
H, xrefs: 0043046D

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction ID: 70973cbbd1d345abe4e026803d5a60bd6a74268ec64029004c3dfe15c300f41f
Opcode Fuzzy Hash: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction Fuzzy Hash: 80814B716083914FD318CB29C8A136BBBE09FA6304F18996EE5D58B392D67DC806CB56

Function 020FF428 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

H, xrefs: 021006D4
6, xrefs: 021005FE

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction ID: a69b904657a86eb9f29886c73e17b2c781f82b5a37707b38e251188b7f681345
Opcode Fuzzy Hash: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction Fuzzy Hash: EE811B7164C3918FD7188B29C8E136BBBE19FD6204F18886DE5D5973C2D7BAC406CB52

Function 0043025E Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

6, xrefs: 00430397
H, xrefs: 0043046D

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction ID: 66dbb9f7593940bda3bdb21456c4f2af28ce9aa7ca169eb6b940cdf049e341e0
Opcode Fuzzy Hash: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction Fuzzy Hash: 4B814C716083914FD718CB39C8A136BBBE09FA6304F18D96EE5D587382D67DC806CB56

Function 021004C5 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

H, xrefs: 021006D4
6, xrefs: 021005FE

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction ID: 2f3b8970e48fb6aec11bbd82d5b6d4935cb34a24b1c3b05efc88d36c535728e6
Opcode Fuzzy Hash: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction Fuzzy Hash: 47812A7164C3918FD7188B3988E136BBBE19FD6204F18886DE5D59B2C2D7BA8406CB52

Function 004302CD Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

6, xrefs: 00430397
H, xrefs: 0043046D

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction ID: c9c02734f3e5a7eb2ca0eed0804f28c87630d1e97fd284b28010db33944d152d
Opcode Fuzzy Hash: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction Fuzzy Hash: 99816E716083814FD318CB39C8A136BBBE09F96304F18D96EE5D587382D67DC806CB56

Function 02100534 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

H, xrefs: 021006D4
6, xrefs: 021005FE

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction ID: e7f908439aa56f3b40e9aecb71718f1244cac98990afe03822e93588787b02d2
Opcode Fuzzy Hash: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction Fuzzy Hash: 9F811B7164C3918FD7188B29C8E136BBBE19FD6204F18896DE5D5873C2D7BA8406CB52

Function 004123EC Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

n, xrefs: 004125AE
n, xrefs: 004123FF

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: n$n
API String ID: 0-3874132673
Opcode ID: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction ID: 424b4f810cf5c42aa0f11275d2ef5d9a27bebee222b9303fc165311a88e3af60
Opcode Fuzzy Hash: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction Fuzzy Hash: A1A1F676A087508BC3249B3885813AFBBD1AFC5324F198E3EE5E9D33D1DA7888418747

Function 020E2653 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

n, xrefs: 020E2815
n, xrefs: 020E2666

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: n$n
API String ID: 0-3874132673
Opcode ID: c4005c324171c5f74c8a629180dd734c5e49b29667f7da172a4492617f587dfd
Instruction ID: 64d914f8308a8a9ca64729fbfd2f6552a64c28358ad145ba2b5d25f8c1792220
Opcode Fuzzy Hash: c4005c324171c5f74c8a629180dd734c5e49b29667f7da172a4492617f587dfd
Instruction Fuzzy Hash: ACA1D8B66097908FC7249F7884803AEBBD5AFD5324F198A3DD9EAC73D1D6748841DB02

Function 00444950 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

qVol, xrefs: 00444953
hIb, xrefs: 00444967, 00444A2C

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: hIb$qVol
API String ID: 0-3675372728
Opcode ID: 827eda1ab894654aa2a3152bf9128e123eb32b5f97ed0b048e3af71d8fdf7992
Instruction ID: 3822851cd43ddfd6e2ae3d15aa8c6b5369446e8c252419fc1ba6ad4511229b5c
Opcode Fuzzy Hash: 827eda1ab894654aa2a3152bf9128e123eb32b5f97ed0b048e3af71d8fdf7992
Instruction Fuzzy Hash: B181FE752087458BD724CF28D880B6BB3F1FB85354F19812DEA958B3A1EB35EC11C74A

Function 02114BB7 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

hIb, xrefs: 02114BCE, 02114C93
qVol, xrefs: 02114BBA

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: hIb$qVol
API String ID: 0-3675372728
Opcode ID: bab27bdf19bf43604da4d2719dc478bcee0a316a956e87a0dcfafb43d41436d0
Instruction ID: 0ea47f1c1054120e2d942d47d621bf9a168a83c363b33b862ca3e039af374093
Opcode Fuzzy Hash: bab27bdf19bf43604da4d2719dc478bcee0a316a956e87a0dcfafb43d41436d0
Instruction Fuzzy Hash: 7981B2756443058BCB24DF28C890B6AB3F2FF85B54F15857CE9958B3A1E732E851CB42

Function 0042AFB0 Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6
hIb, xrefs: 0042AF20

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: hIb$q
API String ID: 0-2144787547
Opcode ID: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction ID: bfd71d5ee42355939c062a028dadac58486c6c85aba871825f936092bfaa215d
Opcode Fuzzy Hash: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction Fuzzy Hash: AC5103B4604310CBD7209F24E85176B73E1FF85318F54456DE9898B3A1E739D92ACB8B

Function 0043E6E0 Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

XY, xrefs: 0043EBE7

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: XY
API String ID: 0-554446067
Opcode ID: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction ID: d641272ad35b4eeebbd9d600f92596cd8dd7c25af792fba6638ab3cd001d37ae
Opcode Fuzzy Hash: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction Fuzzy Hash: 3D322F3AA18351CBC7149F28D91236BB7E1EF8A300F09D97ED4C997291E7B8C945C786

Function 004324EE Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

6, xrefs: 00432790

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction ID: 787a559d3a6ca89598d2bb367016cd154da02af78fea546a06432564028693a7
Opcode Fuzzy Hash: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction Fuzzy Hash: C3322CB0405B819FD351DF39C545793BFE0AB16214F188A9EE4E9CB383D236E146CBA6

Function 02102755 Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

6, xrefs: 021029F7

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction ID: 001efe52f6bcf79a7f2b2fe67255b0da57f0b2a19e15027d20b72f03ce9a28f9
Opcode Fuzzy Hash: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction Fuzzy Hash: 61322DB0405B819FD361DF39C445753BFE0AB16214F188A9EE4E9CB383D236E146CB96

Function 00426010 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction ID: 5d6f820f76e102683b6000eea9d9c0854d2a53b51ca8dd83b48920ec6b395174
Opcode Fuzzy Hash: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction Fuzzy Hash: 096111716083548FE720CF65D841BEFB7F0FB8A308F10856CE558AB282DB7554068B8A

Function 020FAA57 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 020FAB5E

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 01e1882552020fdf3c56b2c86be107ff28e05b2961e87663747131647cbb6fdd
Instruction ID: b9f0b19e5e95e3e7f7f2d0126ebf22001f377d76623191d5448ae9596527216e
Opcode Fuzzy Hash: 01e1882552020fdf3c56b2c86be107ff28e05b2961e87663747131647cbb6fdd
Instruction Fuzzy Hash: 9D4103726583154FD324CF68DDC134BBAE2ABC4704F1AC93DE5988B285DBB4C9058BC2

Function 00414C30 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"PA, xrefs: 00415014

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: "PA
API String ID: 0-2145937358
Opcode ID: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction ID: f624a7b71cbf7b314e20e1a45d24be04a38f24c047e10d0676dafeec8f7fc991
Opcode Fuzzy Hash: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction Fuzzy Hash: 5CA102B15183118BD7189F28D8627ABB3E1EFD2314F09892EE8C58B390F77C9945C796

Function 004186E5 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

hIb, xrefs: 00418791, 00418A2D, 00418B1F

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: hIb
API String ID: 0-998422450
Opcode ID: 46a00a0ecf302162bcacee3841d39cb8847fcf24168ab73694eb9ecf13d5b766
Instruction ID: 98bb563e369b50833e553825352294a070171db5f83cbba2a90f400d3e1a70d5
Opcode Fuzzy Hash: 46a00a0ecf302162bcacee3841d39cb8847fcf24168ab73694eb9ecf13d5b766
Instruction Fuzzy Hash: 0FC14974608241DFD724CF29C8917ABB7E2FF86314F184A3EE49587291DB38D856CB4A

Function 00430F54 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction ID: 7b7113e42e32beabe8c4c016577568230ad12c23f9774a4b5fe118adb1295c8a
Opcode Fuzzy Hash: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction Fuzzy Hash: 9531F33691C3D08BE3348F359C553EBBBE2ABC6314F19866DC8D857285DB7A1805CB86

Function 021011BB Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 021011EC

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d46930d8ea5d8e4c1fa930bb6d97d79fe89e2303350bbbf21d68262c0608e9e6
Instruction ID: 515d3a311094eac2f0ae36c51b03c82d462ce6005a22749a02a9cd3e8cb9e785
Opcode Fuzzy Hash: d46930d8ea5d8e4c1fa930bb6d97d79fe89e2303350bbbf21d68262c0608e9e6
Instruction Fuzzy Hash: EE31E4369583904BE7348F358C953EBBBE2ABC6314F198A6CC8D957285DB7A0805CB81

Function 00430F4E Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction ID: fb4d1f38de1a85f36896b77157d4be4448694684cc70b9096da98958b1763f09
Opcode Fuzzy Hash: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction Fuzzy Hash: D931F23695C3908BE3348F359C953DBBBE2ABC6314F19862DC8D817284DB7A1805CB86

Function 021011B5 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 021011EC

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1a694cecfd3be9603b07d6fb9acc2d21223d713bf2e364fe82ac352f710b0443
Instruction ID: 822734de72a375c273f97026b65f7d0f1ce55c71e2e7addbfb968dbdabc927a2
Opcode Fuzzy Hash: 1a694cecfd3be9603b07d6fb9acc2d21223d713bf2e364fe82ac352f710b0443
Instruction Fuzzy Hash: C231B4769583908BE3348F359C953DBBBE2BBC6314F19862CC8D957284DB7A0805CBC1

Function 004442E0 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

hIb, xrefs: 0044438B, 00444529

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: InitializeThunk
String ID: hIb
API String ID: 2994545307-998422450
Opcode ID: 2371c81c8d9312712b1bf858ba5ced640c02af06fafc90aaa13f59f2e48bc76e
Instruction ID: 5aabee4b8b26e2ec9a193049fa608abe716db33e51fa934c25155f6b19f8c581
Opcode Fuzzy Hash: 2371c81c8d9312712b1bf858ba5ced640c02af06fafc90aaa13f59f2e48bc76e
Instruction Fuzzy Hash: AC9115316083018BEB14DF29D86072FB7E2FFC9724F15892DE9C597390D73898158B8A

Function 02114547 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

hIb, xrefs: 021145F2, 02114790

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: hIb
API String ID: 0-998422450
Opcode ID: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
Instruction ID: 964dfe5d39f20398580d1b3bf9975c521aeab8927adc07eace9c9e6c2280738e
Opcode Fuzzy Hash: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
Instruction Fuzzy Hash: D69102316083818BD7149F19C850B2FB7E2FFC9728F158A7CE4D59B290D7359815CB86

Function 004085B0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

., xrefs: 0040860E

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction ID: 911296d1392f8c3c8cd6404ab6709485da162d277dd93cabcee5ac66b0687773
Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction Fuzzy Hash: 39A14B72E087618BC7109E28C98035BBBE1AB81310F698A7EDDD4B73D5DB389C458BC5

Function 020D8817 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

., xrefs: 020D8875

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction ID: 8867225f90d922574f4eb1eaf393511e352355632489f71aa05e7f7cbf5816a3
Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction Fuzzy Hash: 96A14972E093624BC711CE2CC88439AFBE1EB81324F19CA59EDD5A7395E3349C469BC1

Function 0041BA52 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

x(m., xrefs: 0041BC5F

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: x(m.
API String ID: 0-3038009362
Opcode ID: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction ID: 8fe95d6803831fae5c575aca5061d2950839e556567635e7946eadf65fb6b687
Opcode Fuzzy Hash: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction Fuzzy Hash: F27128B2A083108BD3248F25C4D03A7B7E1EFDA314F19595DE8C66B391E7788945C7D6

Function 00406120 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00406256

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction ID: 9057347cd236a3d55169ab5d420f90e4f8a8bfd1e184600247eeff6d96e402e7
Opcode Fuzzy Hash: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction Fuzzy Hash: 04B139712083819FD325CF18C88061BFBE0AFA9704F484E6DE5D997782D635E918CBA7

Function 020D6387 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 020D64BD

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction ID: 18b9a4dc7fee75a7103c075da97184f7416bf307be39cc7a09decd6c69ca2baf
Opcode Fuzzy Hash: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction Fuzzy Hash: C6B147701093819FC321CF28D99061BFBE4AFA9704F444A2DE5D997782D631E918CBA7

Function 004180F0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

gfff, xrefs: 00418257

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction ID: 92e196d3d9e6bda93a0c7e2106ea41e010bf6410d3e766de811087e40ead5107
Opcode Fuzzy Hash: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction Fuzzy Hash: 6291C5B1A086429FC714CB29C4917ABFBD29BD5304F18892EE4D9C7352E739DC85CB86

Function 020E8357 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

gfff, xrefs: 020E84BE

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 6ceb0d1c140525c60d7b3d2d9bab67d25452a9bb47d8311bc79918efc40535ca
Instruction ID: c3e0141419a6b65345f93df116189bcbaaa66f1111fde14a289b5bc671b98eaf
Opcode Fuzzy Hash: 6ceb0d1c140525c60d7b3d2d9bab67d25452a9bb47d8311bc79918efc40535ca
Instruction Fuzzy Hash: FD91B3B15087429FCB19CB28C49166BFBE2AFD4304F18CA6DE4DA87352E735D885DB42

Function 00444680 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

hIb, xrefs: 00444697, 00444779

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: hIb
API String ID: 0-998422450
Opcode ID: 5817dc08d7b1637e7e3a733f633ebef0ac83d0369adc13ba2a740957247a8f0c
Instruction ID: 96d12ea3d3c94a09dadfd44fb7852b0513c37639a1ae6042b5b217cdcd3fb480
Opcode Fuzzy Hash: 5817dc08d7b1637e7e3a733f633ebef0ac83d0369adc13ba2a740957247a8f0c
Instruction Fuzzy Hash: CA81AE792042418BE724DF29D890B2BB3E1FFDA714F15862DE9908B3A1DB39DC15CB46

Function 021148E7 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

hIb, xrefs: 021148FE, 021149E0

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: hIb
API String ID: 0-998422450
Opcode ID: f6a5e1c7b1483e5f51f073784b6c1af1003ec8c950d71c9311a1ab3a2977ad0b
Instruction ID: f39d50089440320f3c06d16df1916e80ce4d502f334497e5884bb48c74eaf2ff
Opcode Fuzzy Hash: f6a5e1c7b1483e5f51f073784b6c1af1003ec8c950d71c9311a1ab3a2977ad0b
Instruction Fuzzy Hash: 5E81B0792443058BD724CF18D890B2AB3F2FF89B14F19867CE9958B3A4EB31D851CB46

Function 0041D8B0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

>, xrefs: 0041DA33

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction ID: f78e35e26b24cf68e4bc09e6cd2b7899b815de8684f97abc49024c1dd2b64b0c
Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction Fuzzy Hash: D76127B3A5D6D04BD3258A3C4C613EA6A930FA7330F2D87AAE8F5873E1D15D8C469345

Function 020EDB17 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

>, xrefs: 020EDC9A

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction ID: 3b4d306a20004c0c99b5b884e6f37b742a72015a0d3c5f0a3fd0cdefd3db02c8
Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction Fuzzy Hash: 9A61662764D7D04FD7298A3C4C613AE6A978BD3230F2D87BAE4F68B3E1D2598841D341

Function 0043CE90 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

hIb, xrefs: 0043CF30, 0043CFC2, 0043D068

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: hIb
API String ID: 0-998422450
Opcode ID: 6fbaea2b680d7394fab1b0bb9ecc81c16f740583f6565f8e0bd3cacf9ca9fb57
Instruction ID: e35f2f60d65f04bb18af1f8d7cf5bd4ec7f66c51464b3c3842bee00e328901c8
Opcode Fuzzy Hash: 6fbaea2b680d7394fab1b0bb9ecc81c16f740583f6565f8e0bd3cacf9ca9fb57
Instruction Fuzzy Hash: 3B51F671A0C6018FD3188B28D59032BB7E2BBC9328F159B2FE4A5573D1D279C946CB4B

Function 0210D0F7 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

hIb, xrefs: 0210D197, 0210D229, 0210D2CF

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: hIb
API String ID: 0-998422450
Opcode ID: 6fbaea2b680d7394fab1b0bb9ecc81c16f740583f6565f8e0bd3cacf9ca9fb57
Instruction ID: d0e628326c1a362bbf8a1ff7f3259b2b0fac71425e20fec728226b949d8240fb
Opcode Fuzzy Hash: 6fbaea2b680d7394fab1b0bb9ecc81c16f740583f6565f8e0bd3cacf9ca9fb57
Instruction Fuzzy Hash: D65127756483118FD3188B68E89032AB7D2FBC9328F15872EE4A5573D1D7B4C981CB46

Function 00418492 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

(, xrefs: 00418669

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction ID: 2caae83b2d4013721f210141ccc417c30349dd5d0901d4fb7f3c841e3804c493
Opcode Fuzzy Hash: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction Fuzzy Hash: E851DE74109780DFDB209F24D859BABB7E5FF92314F09096DE4C98B2A1EB388514CB5B

Function 00417054 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

rA, xrefs: 00417161

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: rA
API String ID: 0-3688822144
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: eea7f0b4564a115e112266a705f564882217ee49f10fc6db0b082ff3a9467cbb
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 21410B3565C7824BD336CE7984903ABBBD2ABC6310F0C8A7D94D197785DE7CC8468752

Function 020FAF50 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

q, xrefs: 020FB00D

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
Instruction ID: 81511cb2e48865bc8bd8f50730c43ecf2a721ae123440c0a3839083b1f121e07
Opcode Fuzzy Hash: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
Instruction Fuzzy Hash: F541DBB41483018BC760CF24C49176BB7F1FF86358F148A5CE9998BBA0E779950ADB87

Function 0040D172 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

301V, xrefs: 0040D2D5

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: 301V
API String ID: 0-2749669040
Opcode ID: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction ID: baf02472d42b1fd34baef0eca44314001f1f1136a433d7a2becac9f4216ef3dd
Opcode Fuzzy Hash: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction Fuzzy Hash: 6741BE742483118BD714DF54C8A4B6BB7F1FFC5308F08892DE4865B395E7B99608DB8A

Function 020DD3D9 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

301V, xrefs: 020DD53C

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: 301V
API String ID: 0-2749669040
Opcode ID: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction ID: 30a979868925ce0a5a9614884fc10d9898a5f1a23d107c1c30c1d3a0172838d9
Opcode Fuzzy Hash: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction Fuzzy Hash: 1241A17524C3118BD728DF54C8A4B6BB7F1FFC5308F08992CE4864B255E7B59608DB46

Function 00442DCA Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

UUK, xrefs: 00442E65

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: UUK
API String ID: 0-1743445028
Opcode ID: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction ID: e9b7a210428eddec2d32ba3198370ee38b37a834245a60ff4a0e95a4beb386be
Opcode Fuzzy Hash: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction Fuzzy Hash: D14106322087504BD31CCF38D9A132BFBD7AB85314F5A856ED0868B791D6B999058B89

Function 004421E9 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

"c_, xrefs: 004422FA

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: "c_
API String ID: 0-1905016733
Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction ID: 139d9a56c6b22736b00f81c9c0a59650492495ee9bcb90bc8dd56261b9d87cf4
Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction Fuzzy Hash: 7331F172E055018FC319CF2CC8623A6FBA2FB59308F19D12CC555A7796C7B9A80A8B84

Function 0041B58F Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 0041B59D

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction ID: fc55fbf2e67d6e55d69b8bdcc21a86b947583cb7b9fc2e15381c79fb32be4bbc
Opcode Fuzzy Hash: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction Fuzzy Hash: 492125315583508FD3248F24C854B6ABBE0EF9A318F084A5EE4D5EB392C379C945CB8B

Function 020EB7F6 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 020EB804

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
Instruction ID: 734a636b239f149c0ee7fe395fefbdca0d15c2261227c63d92691f36a2870a07
Opcode Fuzzy Hash: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
Instruction Fuzzy Hash: 142129315583508FD7198F24C854B2ABBE0AF4631CF494A5DE4E6EB3D1C379C945CB46

Function 00427FFD Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 004286AD

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: beb92d7dceb5f7ee2bc2359878695b6a9a5b74cab8484de6a3c22e177f9b20e4
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: 2D21E7706093618BD7209F65E89577FB7E1EF92308F44082EE5C187252EB7DC806CB5A

Function 020F8264 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 020F8914

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: f24516a26cc38f357e03961b5b76abbc7a0f40534526b00934318b0c3393561d
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: 7B21D5B05083458BD7A09F64C8917FFB7E1EF92314F08882DE6C187A81E779C402DB12

Function 020E5527 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

hIb, xrefs: 020E553B, 020E55E6

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: hIb
API String ID: 0-998422450
Opcode ID: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
Instruction ID: 3ee0b6ecc0043488b1d5c435524a0c775c177f83be9db56a78a2b0d6d7dc3a18
Opcode Fuzzy Hash: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
Instruction Fuzzy Hash: 3F01A2767102018FCB598F159C60A3A77A2FB4631DBA5192CE04397460D730E492EE45

Function 020F8677 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

#C}, xrefs: 020F869F

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: #C}
API String ID: 0-275300757
Opcode ID: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
Instruction ID: 361f77b7b42565d2b58049316392817889644841a60e8c435618560dc1588056
Opcode Fuzzy Hash: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
Instruction Fuzzy Hash: 0A11CE764883058BD318DF19C4816ABFBE5BBE1304F14192DF1D687258CB71D3498B8B

Function 00440A90 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

hIb, xrefs: 00440AB6

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: InitializeThunk
String ID: hIb
API String ID: 2994545307-998422450
Opcode ID: b742c9dc481357075cde75226765a26651ce40b82d6343e18e23e0a7f9609d23
Instruction ID: 7b6863c9c9260bd0558c6f806dd5f9e3415f7290086a878cc0b8c3271b95cfd7
Opcode Fuzzy Hash: b742c9dc481357075cde75226765a26651ce40b82d6343e18e23e0a7f9609d23
Instruction Fuzzy Hash: 6EF0F936544304ABE1105B459C40D3777AEFB9E728F104319F715332A1E772ED2197A9

Function 020E886C Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

(, xrefs: 020E88D0

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
Instruction ID: cdbb2c07d9ac29b487fb0099e7f7503a61cddac5ae3de5585d31ed48a6c1505b
Opcode Fuzzy Hash: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
Instruction Fuzzy Hash: 351135B010D3808FE7329F24944DB9FBBE5BB92314F584D6CC4C99A255EB358019CB43

Function 020EFC07 Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction ID: abc50ede92b65899dd1dbeb3eaad4e4daa90c2cf2e44120d1c656a78f4f662a9
Opcode Fuzzy Hash: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction Fuzzy Hash: 47728FB0609B808FD3658F3C8855797BFD5AB5A324F148A5EE0FE873D2C77960018B66

Function 00406950 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb87f84e98a0fad306cf7f3c42a312830498aa0bd2ec6d8998d8122731bf369
Instruction ID: 932c1377a91fa6d9b3b3430258c24ebd6eaf69df9939b5fdda7094baad6b34e3
Opcode Fuzzy Hash: 7fb87f84e98a0fad306cf7f3c42a312830498aa0bd2ec6d8998d8122731bf369
Instruction Fuzzy Hash: 2552E3B0908B848FE7318B24C0847A7BBE1AB51314F15487FD5EB16BC2C27DB995CB5A

Function 020D6BB7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction ID: bf469fffd93e38aa2f142186e62221b79a294cadfc37ba8d7f25a46ba2e530b4
Opcode Fuzzy Hash: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction Fuzzy Hash: F652D570A09B848FE736CB24D4843ABFBE1EB41314F144D2ED5D706AD2D37AA589EB05

Function 00402F10 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction ID: 160b274c87364c204653c38da9fcebf7ab15e3d340062075e97a75c0ef340a85
Opcode Fuzzy Hash: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction Fuzzy Hash: A952E2715083458FCB14CF14C0806AABFE1FF89305F19897EE8996B381D778EA49CB89

Function 004352B0 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction ID: 4b3eda8883421d9be4123ed30faec38c52da7834026f1f28b94d7c465451f811
Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction Fuzzy Hash: 906215B0605B819FE3A5CF39C842793BBE9AB5A304F14896ED0EEC7382C7786541CB55

Function 02105517 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction ID: 4c19e259fe32a223af1e8477249c1212aab39330ab71829a83b2dbc956ce3853
Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction Fuzzy Hash: D86224B0605B809FE3A5CF39C842793BBE9AB4A304F14896ED0EEC7382C7746645CB55

Function 00407730 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction ID: 81516d2b71f578880f32ea2fb0b1a758f5866deba3e580c85c02b3815e78599f
Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction Fuzzy Hash: 92129432A0C7118BD725DF18D8806ABB3E1BFD4319F19893ED586A7381D738B8518B87

Function 020D7997 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction ID: 82017f98f3bc80d64f604053e1a15d337f5c2b05e2624617aa3b614377c8beef
Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction Fuzzy Hash: 3412D332A097118BC775DF18D8807ABF3E2FFC4319F198A2DD9869B290D734A811DB46

Function 00403910 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32726bdbf5c05d8cab696070ff51f6344be8198ca365f8a711e5e0541e79f9f
Instruction ID: e8a8d303bceb257a05cc9702c71d1473efa751c96297dfdbf865dac3254e2c35
Opcode Fuzzy Hash: b32726bdbf5c05d8cab696070ff51f6344be8198ca365f8a711e5e0541e79f9f
Instruction Fuzzy Hash: C2323570914B118FC328CF29C680526BBF5BF85711B604A2ED6A7A7F90D33AF945CB18

Function 020D3B77 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction ID: 01ca9b9d541913d04a59c4a6733daf41c7c84ae92c86cc77afcecd074bed8bd2
Opcode Fuzzy Hash: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction Fuzzy Hash: F83232B0516B118FC369CF29C58062ABBF2BF45610B904A6ED6A787F90D736F484DF01

Function 00405B00 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38472a00a0879bb5abefe19f1de564228c8c19b365a4222f5cedeb93b5145cd4
Instruction ID: e42773c1c3f8ebd4ec4fdfa443408146433f44d101ef95b297255552456e3a2e
Opcode Fuzzy Hash: 38472a00a0879bb5abefe19f1de564228c8c19b365a4222f5cedeb93b5145cd4
Instruction Fuzzy Hash: D912EA356487418FD718CF29C88176BFBE2EFC9304F18886DE48597392D67AD806CB96

Function 00428C62 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction ID: 94ada5613fcb5724ef714f3b33f4bba041d2705c14d30676149ca7069553ac03
Opcode Fuzzy Hash: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction Fuzzy Hash: 55C126B560D351CFD7048F24E85126BBBE1EF96304F18486EE4C597342DB39D906CB9A

Function 00433FDF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction ID: fc893d91c279ff005c603ba294d35f082a1a544f6a0d4a0cd85d12e9c2d95447
Opcode Fuzzy Hash: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction Fuzzy Hash: B2F10872604B808FD315CA3CC850396BFE2ABDA314F1D8AADD5EA8B3D2D635A406C755

Function 02104246 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction ID: cee2f74fc51f54eeb5093958a368ff55f0d3e5e4233e2fc021a0d75604b58688
Opcode Fuzzy Hash: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction Fuzzy Hash: 96F1E972604B808FD315CA3CC8903A6BFE2AF96314F1D8A6CD5EACB3D6D675A406C751

Function 0040B92C Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction ID: ab12ed09055e8ea0522be78a4f74e04d5a6e4ec08103d562aa4998abfe28fe27
Opcode Fuzzy Hash: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction Fuzzy Hash: D1F16AB56007008FD324CF29C851756BBA1FF85318F2886ADD56A9F796D736E807CB84

Function 00433707 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction ID: 61392d9dde5cb97d8dce762518bdb59e491427bd921cb3ee7e980f1176e7b5dd
Opcode Fuzzy Hash: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction Fuzzy Hash: 5CF12B70119BC18FD3528B39C451352FFE1AF16218F1CCA9ED4E98B783C62AE546CB65

Function 0210396E Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction ID: c513f59ae0cb0cabae610db6e88a61114c037b35383f5cad6d10527d38c6efd8
Opcode Fuzzy Hash: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction Fuzzy Hash: F7F11974109BC18FD3528B39C491352FFE1AF16218F18CADED4E98B783C26AE546CB65

Function 0041D4A0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820bd567e52d356ac51d3a1904cdb09995c1ec7fd2393dd78d401b0c15796d90
Instruction ID: 12891cdbc617c73904f6855338867ea7404e8da75aaa1553ee6c4b335979751e
Opcode Fuzzy Hash: 820bd567e52d356ac51d3a1904cdb09995c1ec7fd2393dd78d401b0c15796d90
Instruction Fuzzy Hash: 24B1E4B5D04301AFD7109F25DC41B5ABBE2FFD4329F148A2EF4D8932A2D73999448B4A

Function 020ED707 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4287807ec6bec5b666dc0d3d2698f23ba38bd9abeb89fcf0da42df155a57f7
Instruction ID: 23a1589dd644a59390087397d6d1340fa70e824024e67100927414a571f5ddea
Opcode Fuzzy Hash: 7c4287807ec6bec5b666dc0d3d2698f23ba38bd9abeb89fcf0da42df155a57f7
Instruction Fuzzy Hash: 1BB1BF71918301AFDB619F24CC41B1ABBE6FFD4325F148A2CF4A9932A0D7329954DB42

Function 004064C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction ID: 2b955227a983d1d811affef35ca8e007786d955133afca59bf8ef9fa6e1af4d4
Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction Fuzzy Hash: F5C15CB29087418FC360CF28CC96BABB7E1BF85318F09492DD1DAD6342E778A155CB06

Function 020D6727 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction ID: c9cb6aff17d426d89da5f6564977f2102d83a5e431ed723b7e96e44eb30e8ded
Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction Fuzzy Hash: 6AC17CB29087418FC360CF68DC86BABBBF5BF85318F08492DD1D9C6242E779A155CB06

Function 00441C26 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction ID: d38a7820e927ac79209808e9917237a673a4e0aa3014f7e1d10a8d6c11df8dbd
Opcode Fuzzy Hash: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction Fuzzy Hash: 5FA1C27690C3018BD704DF25EC9675BBAE3EB85309F09C93DE08997352EA3985058B4A

Function 00427C10 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction ID: 2111fa9e304b48309700938602874aac4406f1930da0b205156c5b471cdf0221
Opcode Fuzzy Hash: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction Fuzzy Hash: 4F81477564C3508BC3109F28D88176BBBE1EF91318F488A2EF9D85B381E7788949C787

Function 020F7E77 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
Instruction ID: e0541180eb8834238dd03abc2ebf1dd900f479e8750dedc1fee4b37980f7a590
Opcode Fuzzy Hash: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
Instruction Fuzzy Hash: 93813AB55483408BC3509F68C8417ABFBE1EF91318F088A2DF5D84B791E7798949D787

Function 0041D1B0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction ID: 9374f0dcfe35b385838bdc5e4bb432c203163cf561be86e4770f1d01bf1c2ca7
Opcode Fuzzy Hash: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction Fuzzy Hash: 50812BB2A082654FC715CE28C85139FBBD1AB95364F18823EE8F5873C2C738D94697D2

Function 020ED417 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3aa7b751b35531014d505509d0383cd210d2b854363b98bb2e9ae412d1604f
Instruction ID: 1153fa0ba0a60dd03d77d910a4059be32357a21abac68fc1c13f09899ed5f47f
Opcode Fuzzy Hash: fc3aa7b751b35531014d505509d0383cd210d2b854363b98bb2e9ae412d1604f
Instruction Fuzzy Hash: 9E813BB26083614FCB168E24C85175EBBE1FB95224F18863DE8EA8B3C1C735D946E7D1

Function 0043210B Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction ID: 41ce66d59fb3b72e70b63803f4d723d6c8e4d9b5984d2f94b5a537e5089b918e
Opcode Fuzzy Hash: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction Fuzzy Hash: 27A12B76608B808FC3118F3CC991396BFD26F9B314F1986ADC5EA8B393C6799406C752

Function 02102372 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction ID: 39937e64f582fb5bd3c6fcc2c516927f80b26a926690b8d6894834660bf58ab2
Opcode Fuzzy Hash: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction Fuzzy Hash: FBA1F976604B808FC3258F3CC895396BFE2AF97320F19869CC5EA8B3D2D6759406C752

Function 00434FF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction ID: 50bce581e1b0041ce85711fc0421540756ccbf32b7296321612c510e57d28a97
Opcode Fuzzy Hash: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction Fuzzy Hash: DF71262764DED007D72C453C5C613BAAA934BD7334F2E976EE4F24B3E1C56A48068349

Function 02105257 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction ID: b39bbf7dba042ff359862e432bdd41335beff687191e3c08f427b57261e74dd9
Opcode Fuzzy Hash: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction Fuzzy Hash: 2B71263728DA9057D32C553C5CA63BAAA835FC3234F6E976DE4F24B3E1D6E588028744

Function 020FB247 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
Instruction ID: f3a7d7b11e5c3cbfcae630ff94dab6e71781f456f191fbd97e75134e21f9f03a
Opcode Fuzzy Hash: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
Instruction Fuzzy Hash: D671E0B01883018BD754CF64C8A176BBBF2FF86318F04892CE5855BB95E378D905DB46

Function 00427885 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction ID: 1d0bc7c47f9e9f486bda4e769dd1419a7faa478ba188ee17b6b14aa8c80eb475
Opcode Fuzzy Hash: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction Fuzzy Hash: 7F613672B5C3A28BD7348F2894513ABB7E1EF56350F84893ED4D987381E2389905D39B

Function 0041F170 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction ID: a6ce5babd4d3766fd429a0d32157edeb31411bafb66deedf712a04b4dc43084b
Opcode Fuzzy Hash: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction Fuzzy Hash: 8C615A355083949FC7258F39C85096E7BD0AF95314F0881BEE8E447392D639DC4AC756

Function 020EF3D7 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
Instruction ID: 95bc05f39b944dce73b06001702054067274044dafa8cdf6748719ce888d8e7f
Opcode Fuzzy Hash: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
Instruction Fuzzy Hash: 18617B71A083914FCB368F38C89092E7BE1AF95220F4882BDE8E54B792D731D845D752

Function 0042F4E1 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction ID: 9ecb6df6af24b1f74966394131ffdcc5ba7ea28be31435c304ffc82d0aba2bdf
Opcode Fuzzy Hash: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction Fuzzy Hash: 43519D22B457624BD7048A3898802A6BBA3DFD6361F9CC73FC491873D6DB7C980AC345

Function 020FF748 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction ID: 12286480462cfdb216b6c70ac7d50e80403557f017c1e49a4a8cfc43761da259
Opcode Fuzzy Hash: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction Fuzzy Hash: 5951AE32A997434BD3898A39C8902A9BB83DBD6265F1CC73DC59187FDAD778940AD340

Function 020F7B02 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
Instruction ID: 746aa2140afa039c1f7232353b8f01d022d056635dfc5044750ee2a86183546b
Opcode Fuzzy Hash: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
Instruction Fuzzy Hash: 015137726883918BE7B5CE2884517EAF7E1DF46200F08893DC6C687B91D338A505E783

Function 0041AB90 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction ID: 96be8bd36e56bf27b6aa0d10c1fb3a2b8c76be11eb878f6b8047cc8e026e4330
Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction Fuzzy Hash: 0D5178B01093818BD310CF26C8617ABBBE1EFC6368F04595DE4D58B791E3788549CB9B

Function 0043C460 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction ID: c97da413fd5a9132ec8511ec3fb1d3aba95cfbccb1f123846b9e4f248ad7db27
Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction Fuzzy Hash: 7E514CB19087548FE314DF29D49475BBBE1BBC8318F044A2EE4E987351E379DA088B96

Function 0210C6C7 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction ID: 441e9563d93c6a95ffde7575a353b1511b30f6b9f6f11a6afec0bdd67132580f
Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction Fuzzy Hash: 85515CB15087548FE314DF29D89475BBBE1BBC8318F144A2EE4D987390E7B9D6088F86

Function 00437850 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction ID: 48aa9a845809bd12f015dc09ae20762c45634ee2d6e6e50515cef5deddc0b902
Opcode Fuzzy Hash: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction Fuzzy Hash: 6351066274D9904BD338993C4C623AA7A834BDB230F2DE37FE5F6873E1D55848069255

Function 02107AB7 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction ID: 9604db37193230e7ae143eacf2f418e228148c8d5d796d5ea7d0b43427c15e5c
Opcode Fuzzy Hash: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction Fuzzy Hash: 2D51EA367895914BD32C9A3C5CA23B6BAC34BD7130B1EC76EF5B6873E1D69548028390

Function 0041A770 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction ID: c8fa41b63414d86ae28ae5069bc9de9cc5c1be9fc68955ccb818d97c0d6e7456
Opcode Fuzzy Hash: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction Fuzzy Hash: 935123542087904ADB00DF7588D2A3A7BF0DF48305B0960DFD898DF7A7E638D2168B8E

Function 020EA9D7 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
Instruction ID: cf01a2ee3f208a0097117439dc7108b60835c21f2e7d4a6ac132b0c9b5790f01
Opcode Fuzzy Hash: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
Instruction Fuzzy Hash: FE51E1542093908ADB05DF7488D1A3A7BF1EF49309B0964DED898CF367E334D216DB9A

Function 00402210 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: ddd3a1f12e0d028ceadd4f9d033f63418dc44a780f61091206b315d12a6ba213
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: 955182B18007059BD3209F68AD48717B7B4BB41328F14073DECA5A73E1E779EA15CB8A

Function 020D2477 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: 4f03bcdc93b9c147c847f3e70440118a5e503f1508e85a9e3370fdd103800a29
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: CF5180B58017059FD3209F289C54B2BB7B4BF45328F14072CECA9972E2E731E954DB8A

Function 020E72BB Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: 0e8e8716949996c239527e7cb36ed4dac61032cdff82938018c78958938b81f7
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 41415D356987824FC73ACE7984903AEFBD2ABC6210F0C867DC8D197685CF78C4468751

Function 0043CD40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 21a2246a7d2b4b35dc494bba2f4b78631a10c89df9ac8d713cd23d0779d29278
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: D4310372B456104BC318DA29CC823ABB7D297C9324F0AD63AE898D73D4E63CCC418791

Function 0210CFA7 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 54e62953b8ba41ae028d5d10a1cc34d146fc7521220df5abd8ac4e5b60a44893
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: AD310773B856104BD318CA29DC827AAB7D297C9324F0AD63DE898D73D4E73DC8428751

Function 00408D10 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction ID: 4bae2713ce7709fe8da5589f50bc1a219f305d3d105056fe83fc3629ebc2cdfc
Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction Fuzzy Hash: 3431B633A219114BE314CA29CD4479632D2ABD8328F3E86B99465DF7D2DD3B9D0386C0

Function 020D8F77 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction ID: ec0639f13978c4dc8e7b568e46414978401a47c4ecb3a980f9492863fcf824c3
Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction Fuzzy Hash: 90319433A216114BE354CA29CC447A536D3ABC8328F7E86B99525DF692D93BAD039680

Function 0043E520 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction ID: 1389e4d53b694fd295f4c99b563822772ee8ec12a6424706be6842d5b3f5de1d
Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction Fuzzy Hash: 40311973A197144FC3289D7D889015BBB929BD5334F2A873EDAB54B3C1DE748C015786

Function 0210E787 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction ID: a5ee8baea6cfeac321d49195cef26ca32154b106aeb160c043b9aba62b9c801c
Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction Fuzzy Hash: 1231E473A597184FC3289D7D988026ABB925BC1334F1B8B7EDAB54B3C1DFB088019685

Function 0041B021 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction ID: 6c2a7a40945fba97b60b2dc016bc6914b469ce470df0d3b36ab1ee23dd066ef4
Opcode Fuzzy Hash: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction Fuzzy Hash: 763159759483819BD718CB34C8A13BBBBD19B97318F189A2DE0E193391D338C5468B5B

Function 0042E9B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction ID: debfc5dd17bc83b4888ed899efee17c0fbb67269f2955dd3302a8cbeb79cd110
Opcode Fuzzy Hash: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction Fuzzy Hash: 1B312673E21A380BC7088D3D9C1126A75829BD5265B9EC37DEDAADF3C2DA35DC0582D0

Function 020EB288 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
Instruction ID: 50ea067c5158e5784bc2126aac4f466fcc2f3e48591cb041d9daa9bb0d94016e
Opcode Fuzzy Hash: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
Instruction Fuzzy Hash: 513128759483918FDB198B34C8917AFBBD1AFD7218F089A2CE4E293391D338C1468B57

Function 00431AF5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction ID: c3ef201410797beedfbb423dd4b6a4b613f7a1191b873fa7b6aad00fbf48a4bb
Opcode Fuzzy Hash: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction Fuzzy Hash: D3210B6590D3C146D7394B3A44243B7EFE25FE7345F2C58AED0D987392DA798005871A

Function 00408320 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: b0168b037b63377ee53a696943b9184fc20a9d47a10823b489a3532680c59eb7
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: 7B314B2290D6F30EC336892D449047E7AA05AE621472943FFDCF19B3C3C52AC94587E5

Function 020D8587 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: 34b4074b409e0c824458e8ca4cf77f246e761f43e1647d2fc76f342a77c77b67
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: F931F76650E7F24EC733892D449047DBAE099A612871E83FEDCF18B7C3C611C94693E1

Function 00402B40 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction ID: ac5a2fd1a34d00fe81212d9a0dd75a5008a32a6ff7d51fa23ef38769660ba55c
Opcode Fuzzy Hash: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction Fuzzy Hash: 392129B971A1A10BD700DF399DD412B77A2D7C730671F4577DA80D3392C27AE80AC225

Function 0041B3F2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: f625d5dc7cc146dca826755e11d0e3d06b3d9b76c6b30af6ca5c7fe59dabf8e9
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: 2C31F2766183418BD708CF39C89136BBBE2AB86318F18CA6DE4D1D7384D73C88458B92

Function 020EB659 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: 5a3507e927bda0750b0c1f729e5992713e58c6721e864162f64f8e5b75ac2aa2
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: F231E4766183418BDB18CF39C89136BBBE2AB86318F18CA6DE4D2D7284D73CC445CB52

Function 0210EB27 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aff2747913e61d8e485ec3db636ec536704eedd3d1794fbcb6d77b268cc3f13
Instruction ID: b7e457c729fd8a95eb2b4dabe511790f3a6c04b7af20a8412c6c23efbe8a9753
Opcode Fuzzy Hash: 2aff2747913e61d8e485ec3db636ec536704eedd3d1794fbcb6d77b268cc3f13
Instruction Fuzzy Hash: EE219E39844317CBC7249F19C05067EF3B1FF48B90F56881ED88157260EB74A9A9CBC1

Function 00430F03 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction ID: 4d6f8d4a3a0c9291bd82fbf102df9c74bb0e146b1c020dae9dd1e6f681f2a276
Opcode Fuzzy Hash: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction Fuzzy Hash: D921E1369583A04BE3348F359C913DBBBE2ABC6314F09872DC8D817285DB7A1805CBC6

Function 0210116A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0199799e75cbd837ee7f3b361dc18108ad832d3bad261f098223bc718b25986b
Instruction ID: 1aad4460bcd9722582b108e9f1d082475a586279f11333e7efb7390a564310f3
Opcode Fuzzy Hash: 0199799e75cbd837ee7f3b361dc18108ad832d3bad261f098223bc718b25986b
Instruction Fuzzy Hash: F621A3769583A04BE3348F359C953DBBBE2ABC6314F59C62CC8D957284DB7A1805CBC1

Function 0043A230 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 34218d49f98f4d04757d6d7688404ab739ac49d953720a668d3546879b641f63
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7411EC336491D40EC7158D3C8400566BF930A97735F1993DAF4F4973D2D52B8D8E835A

Function 0210A497 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f6fe38f32638254117dfd4003f9752c705f6690066de54428cd8f72f752624e1
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9F11E533A492D40EC3168D3C8480579BFA30E93135F5D8399F9B9DB2D2C7238D8A8750

Function 0042C5E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4806e0e9ba83394bcb90c2b4a85db531bb675bab5e0f9d9bd9f754c6d77f4dd
Instruction ID: e2b1fa06f32b2fd48b90287ee0e38661db697dc0127cfdde8b5722762f88e760
Opcode Fuzzy Hash: b4806e0e9ba83394bcb90c2b4a85db531bb675bab5e0f9d9bd9f754c6d77f4dd
Instruction Fuzzy Hash: 440192F170171197DA209E15A5C172BB2A85F90708F18543ED84457342EB7DEC08C2DD

Function 020FC847 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
Instruction ID: ed8fd348e8dfb7941f14d66d181e5ee3022ffca787119f5c78a9a4a0369c66d0
Opcode Fuzzy Hash: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
Instruction Fuzzy Hash: 38019EF1A4130557E6A2DE5484C1B37A2E96F80714F18803EDA1957E00DB66E807EB91

Function 020A0083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977943895.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20a0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 6405eb6ff483dce1198c254e2146612144851b222abf9058a11c6977ca628311
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: B8118E72340204AFD754DF95DCD1FE673EAEB89320B598065ED08CB316D676E841CB60

Function 020E5202 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
Instruction ID: e42e4ed7444637acb9172daae2f8c068fd141d83b222e9267d2cdac5258e14ad
Opcode Fuzzy Hash: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
Instruction Fuzzy Hash: 23F0B43AA5D7504EE3048EE8D48436BFBD2EB81304F19947DC6C4A7581CAB998858B92

Function 020D275E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
Instruction ID: e23c4aed3e359ff0919f98341f407045f5ec6c2b6b54e8b2eadb2e6be647d692
Opcode Fuzzy Hash: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
Instruction Fuzzy Hash: 8EF05C6254A3404F87150E5988D03B8F7A74B97215708A56DD8D54719BC631C549E758

Function 020E921E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
Instruction ID: e326c345bde377aa6e8bb6850dbeabc37b2ed60f2dbed3116b3c9db056a2dc49
Opcode Fuzzy Hash: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
Instruction Fuzzy Hash: 6EF082B1A0034ADFCF219F44C841AA7B7F5FF86350F044455F8864B220E735C551EB56

Function 0210EA3F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e1be47eb7fcb08e4cbd52fc7e03711af06ea58593d8f6f322e6d4cad867a7e
Instruction ID: 0b9b9b8d1acbc421fb4df588ac428151bad35d72c9f52a6cfd89ee711df870cb
Opcode Fuzzy Hash: 53e1be47eb7fcb08e4cbd52fc7e03711af06ea58593d8f6f322e6d4cad867a7e
Instruction Fuzzy Hash: C3F0A932A193508BC310DF268A0036BF7E1BFC6B04F48CC69D4D997210E278C5028756

Function 0041F3E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 65b04920acd8ec40befbc16cdab85cd19ddd64fc0dfac740f80379ed40623b4a
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 7CD0A7715487B50E57588D3C44A04BBFBE8E987712B1814AFE8D6E3206D225DC47469D

Function 020EF647 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 68bc2438b9170b7e8c68db7a15aaad1cd2d7eec32e55d38bfe2f2de7c0c16392
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: D8D097A05083A20F4B898E3804A0837FBE4E943112B08148EE0D2E3414C321D8019258

Function 020F8EB2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
Instruction ID: ad7c06e57a303dba94bcd7d2aa197efc7e92ac1f9ab750114ca6719ae142e1d8
Opcode Fuzzy Hash: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
Instruction Fuzzy Hash: 77B048389482409B9604CF00E88042AF375AA8B200F14A418E84933310CA30E8008A89

Function 00425560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042561D

Strings

p:#, xrefs: 00425647
$%, xrefs: 004255A6
MO, xrefs: 00425572

Memory Dump Source

Source File: 00000000.00000002.1977528269.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1977528269.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ab89jay39E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: 81944db62257c61826c9772faf3d9c506449667b4075365b7c5b7f4bc0eeec7d
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: 6141DF365183448FE310CF24C88475FBBE2FFC5758F16892CE4D49B680D6B9CA0A8B86

Function 020F57C7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 020F5884

Strings

$%, xrefs: 020F580D
p:#, xrefs: 020F58AE
MO, xrefs: 020F57D9

Memory Dump Source

Source File: 00000000.00000002.1977967206.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_ab89jay39E.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: c0e96cbee9336228d481724a3f098cde9fbab6367f1fdbb76a62b9dbcf266781
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: B741AE765583448BE310CF25C89475FBBE2FBC5758F16892CE4D49B680C6B9CA0A8B86

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ab89jay39E.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ab89jay39E.exe_43ac3acd26b4b783eff79ce85ceaf6cb640f5fe_f7720af9_1e63598c-746d-4f38-b4f0-86f8240766fe\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CC1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EC5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EF5.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
ab89jay39E.exe

Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216
threadCOMMON

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Function 020A07A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 00442080 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 020D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 020D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0040D400 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 0040D433 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 004404B0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON