Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002C_59.exe

Overview

General Information

Sample name:LisectAVT_2403002C_59.exe
Analysis ID:1481318
MD5:5a14cd37a8cb00b18ada9c2500e53e5f
SHA1:bdcaf7389ddd102e274cf61393fae49e0eb10ee6
SHA256:c0c7eff42ec59832f6fa3c9a8c9e08fce760b625383ec87ae69ba72f3060c59a
Tags:exeLummaStealer
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002C_59.exe (PID: 5868 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002C_59.exe" MD5: 5A14CD37A8CB00B18ADA9C2500E53E5F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pwo", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "problemregardybuiwo.fun"], "Build id": "9zXsP2--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.binstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Suricata Signatures

    Timestamp:2024-07-25T07:39:44.321021+0200
    SID:2022930
    Source Port:443
    Destination Port:49705
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-07-25T07:40:22.379665+0200
    SID:2022930
    Source Port:443
    Destination Port:49709
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: LisectAVT_2403002C_59.exeAvira: detected
    Antivirus detection for URL or domain
    Source: associationokeo.shopAvira URL Cloud: Label: malware
    Source: turkeyunlikelyofw.shopAvira URL Cloud: Label: malware
    Source: detectordiscusser.shopAvira URL Cloud: Label: malware
    Source: technologyenterdo.shopAvira URL Cloud: Label: malware
    Found malware configuration
    Source: LisectAVT_2403002C_59.exeMalware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pwo", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "problemregardybuiwo.fun"], "Build id": "9zXsP2--"}
    Multi AV Scanner detection for submitted file
    Source: LisectAVT_2403002C_59.exeReversingLabs: Detection: 63%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
    Machine Learning detection for sample
    Source: LisectAVT_2403002C_59.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: LisectAVT_2403002C_59.exeString decryptor: associationokeo.shop
    Source: LisectAVT_2403002C_59.exeString decryptor: turkeyunlikelyofw.shop
    Source: LisectAVT_2403002C_59.exeString decryptor: pooreveningfuseor.pwo
    Source: LisectAVT_2403002C_59.exeString decryptor: edurestunningcrackyow.fun
    Source: LisectAVT_2403002C_59.exeString decryptor: detectordiscusser.shop
    Source: LisectAVT_2403002C_59.exeString decryptor: problemregardybuiwo.fun
    Source: LisectAVT_2403002C_59.exeString decryptor: lighterepisodeheighte.fun
    Source: LisectAVT_2403002C_59.exeString decryptor: technologyenterdo.shop
    Source: LisectAVT_2403002C_59.exeString decryptor: problemregardybuiwo.fun
    Source: LisectAVT_2403002C_59.exeString decryptor: lid=%s&j=%s&ver=4.0
    Source: LisectAVT_2403002C_59.exeString decryptor: TeslaBrowser/5.5
    Source: LisectAVT_2403002C_59.exeString decryptor: - Screen Resoluton:
    Source: LisectAVT_2403002C_59.exeString decryptor: - Physical Installed Memory:
    Source: LisectAVT_2403002C_59.exeString decryptor: Workgroup: -
    Source: LisectAVT_2403002C_59.exeString decryptor: 9zXsP2--
    Source: LisectAVT_2403002C_59.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: LisectAVT_2403002C_59.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp dword ptr [ecx-08h], CCC8066Ah0_2_004517F2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000128h]0_2_0043504F
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh0_2_00437031
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then movzx ebx, byte ptr [edx+esi]0_2_004288C0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esi+40h]0_2_0044095B
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_0043E960
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp dword ptr [eax-08h], 0AB35B01h0_2_0043418B
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [edx+ebp], bl0_2_004289A0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00436266
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov word ptr [ebx], ax0_2_0043F212
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_0043F212
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_00444A1C
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then jmp ecx0_2_004532E1
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esp+0Ch]0_2_00438AF0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov eax, dword ptr [esi+10h]0_2_00439350
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esi]0_2_00441B6B
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esi]0_2_00441B6B
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h0_2_004543C0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp byte ptr [edx+ebp], al0_2_00423390
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C0D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C0D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C0D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C0D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov eax, dword ptr [esi]0_2_00442C0D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C0D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], dl0_2_00442C0D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov eax, dword ptr [esi]0_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [ecx], dl0_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_00429C20
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp byte ptr [ecx+eax+01h], 00000000h0_2_00431CFA
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then jmp eax0_2_00452C90
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov word ptr [ebp+00h], 0000h0_2_0042A560
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_00443DC0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_00443DC0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then inc edi0_2_004325E9
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov eax, dword ptr [esp+60h]0_2_00437E5F
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esp]0_2_00437E5F
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0044466A
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0044466A
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp byte ptr [esi], 00000000h0_2_0043B6E2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp dword ptr [eax-08h], A352EDFDh0_2_0043B6E2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh0_2_00436EA2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov ecx, dword ptr [esp+000000BCh]0_2_0043BF40
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then movzx eax, byte ptr [ebx]0_2_0045276D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then cmp word ptr [eax], 0000h0_2_004337F3
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov dword ptr [esi], ebp0_2_004217A0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 4x nop then mov dword ptr [esi+000001B0h], 00000000h0_2_004347AF

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: associationokeo.shop
    Source: Malware configuration extractorURLs: turkeyunlikelyofw.shop
    Source: Malware configuration extractorURLs: pooreveningfuseor.pwo
    Source: Malware configuration extractorURLs: edurestunningcrackyow.fun
    Source: Malware configuration extractorURLs: detectordiscusser.shop
    Source: Malware configuration extractorURLs: problemregardybuiwo.fun
    Source: Malware configuration extractorURLs: lighterepisodeheighte.fun
    Source: Malware configuration extractorURLs: technologyenterdo.shop
    Source: Malware configuration extractorURLs: problemregardybuiwo.fun
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00448090 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,0_2_00448090
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004541A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004541A0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004519B2 NtClose,0_2_004519B2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044DC00 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0044DC00
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004514BF NtOpenSection,0_2_004514BF
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004516EC NtMapViewOfSection,0_2_004516EC
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00450E9D NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00450E9D
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00453EB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00453EB0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004517F2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004517F2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043B06E NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043B06E
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00436010 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00436010
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00454820 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00454820
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004390C1 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004390C1
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043A8E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043A8E0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044F880 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0044F880
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00454090 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00454090
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004500A0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtFreeVirtualMemory,0_2_004500A0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043F930 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043F930
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044513A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0044513A
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043418B NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043418B
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004371B9 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004371B9
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043F212 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043F212
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043AAF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043AAF0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004542B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004542B0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044FB40 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0044FB40
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00433B44 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00433B44
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00439B1C NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00439B1C
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00437B38 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00437B38
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004543C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004543C0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00454B90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00454B90
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043E3B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043E3B0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043C3B8 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043C3B8
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004363BC NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004363BC
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043E4F2 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043E4F2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044FCA0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0044FCA0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043C4BB NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043C4BB
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00454530 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00454530
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044FD90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0044FD90
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004415A3 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004415A3
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043B6E2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00444EE6 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00444EE6
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00436EA2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00436EA2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00444FDC NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00444FDC
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044FF90 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0044FF90
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00454F90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00454F90
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004210000_2_00421000
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004328230_2_00432823
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004248200_2_00424820
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043F9300_2_0043F930
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044513A0_2_0044513A
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044D9A00_2_0044D9A0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004262000_2_00426200
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0044520B0_2_0044520B
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043F2120_2_0043F212
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004452A90_2_004452A9
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00428B600_2_00428B60
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004233900_2_00423390
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00454B900_2_00454B90
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004254500_2_00425450
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00442C150_2_00442C15
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00443DC00_2_00443DC0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00437E5F0_2_00437E5F
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004316000_2_00431600
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00427E100_2_00427E10
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00423E200_2_00423E20
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043B6E20_2_0043B6E2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0042A7C00_2_0042A7C0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_004267F00_2_004267F0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00422FB00_2_00422FB0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: String function: 004288A0 appears 44 times
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: String function: 004291B0 appears 146 times
    Source: LisectAVT_2403002C_59.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_00447386 CoCreateInstance,0_2_00447386
    Source: LisectAVT_2403002C_59.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: LisectAVT_2403002C_59.exeReversingLabs: Detection: 63%
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeJump to behavior
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeSection loaded: winhttp.dllJump to behavior
    Source: LisectAVT_2403002C_59.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043B6E2
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0042BEDC rdtsc 0_2_0042BEDC
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0042BEDC rdtsc 0_2_0042BEDC
    Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exeCode function: 0_2_0043B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0043B6E2
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: associationokeo.shop
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: turkeyunlikelyofw.shop
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: pooreveningfuseor.pwo
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: edurestunningcrackyow.fun
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: detectordiscusser.shop
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: problemregardybuiwo.fun
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: lighterepisodeheighte.fun
    Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: technologyenterdo.shop

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    PowerShell    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Deobfuscate/Decode Files or Information    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Screen Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Native API    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    DLL Side-Loading    		LSASS Memory2
    System Information Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
    Obfuscated Files or Information    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    LisectAVT_2403002C_59.exe63%ReversingLabsWin32.Trojan.LummaStealer
    LisectAVT_2403002C_59.exe100%AviraTR/Crypt.XPACK.Gen
    LisectAVT_2403002C_59.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    associationokeo.shop100%Avira URL Cloudmalware
    pooreveningfuseor.pwo0%Avira URL Cloudsafe
    lighterepisodeheighte.fun0%Avira URL Cloudsafe
    edurestunningcrackyow.fun0%Avira URL Cloudsafe
    problemregardybuiwo.fun0%Avira URL Cloudsafe
    turkeyunlikelyofw.shop100%Avira URL Cloudmalware
    detectordiscusser.shop100%Avira URL Cloudmalware
    technologyenterdo.shop100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    edurestunningcrackyow.funtrue
    • Avira URL Cloud: safe
    		unknown
    turkeyunlikelyofw.shoptrue
    • Avira URL Cloud: malware
    		unknown
    problemregardybuiwo.funtrue
    • Avira URL Cloud: safe
    		unknown
    lighterepisodeheighte.funtrue
    • Avira URL Cloud: safe
    		unknown
    pooreveningfuseor.pwotrue
    • Avira URL Cloud: safe
    		unknown
    detectordiscusser.shoptrue
    • Avira URL Cloud: malware
    		unknown
    technologyenterdo.shoptrue
    • Avira URL Cloud: malware
    		unknown
    associationokeo.shoptrue
    • Avira URL Cloud: malware
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1481318
    Start date and time:2024-07-25 07:38:30 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 2s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:LisectAVT_2403002C_59.exe
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 15
    • Number of non-executed functions: 85
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: LisectAVT_2403002C_59.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.8367873443083
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:LisectAVT_2403002C_59.exe
    File size:282'121 bytes
    MD5:5a14cd37a8cb00b18ada9c2500e53e5f
    SHA1:bdcaf7389ddd102e274cf61393fae49e0eb10ee6
    SHA256:c0c7eff42ec59832f6fa3c9a8c9e08fce760b625383ec87ae69ba72f3060c59a
    SHA512:fc2c69b0d12c224476c3c95f6f3ef28c07272794e6fd8d5ec3db429f825d7876fd7b5a4f932a6b195a77462b0efd27a498952dcc4b7fde3d9fab26613b8995a8
    SSDEEP:6144:5o78SdyYD6tShRDTOFb9XsbVgIkMSNvEGl+xEOap:5/pKhqogIkMRh
    TLSH:1E549E21E97324E0CC4A1978FAAB77BE86382707D3788FC7C790EA4565129F36435D29
    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....-.e.................D........................@.......................................@.....................................x..

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x4090a0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x65D22D96 [Sun Feb 18 16:17:26 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:a2c0b34f57a6e3d5bac0e3e87ded036f

    Entrypoint Preview

    Instruction
    push ebp
    mov ebp, esp
    push edi
    push esi
    call 00007FCA00F804ABh
    push eax
    mov edi, esp
    sub esp, 00000100h
    mov esi, esp
    jmp 00007FCA00F803A2h
    call 00007FCA00FA7C59h
    jmp 00007FCA00F803A2h
    test al, 01h
    jne 00007FCA00F803A4h
    jmp 00007FCA00F8041Eh
    call 00007FCA00FA315Ch
    test al, 01h
    jne 00007FCA00F803A4h
    jmp 00007FCA00F8040Eh
    sub esp, 04h
    mov dword ptr [esp], FFFFFFF6h
    call dword ptr [004387B4h]
    jmp 00007FCA00F803A2h
    mov dword ptr [edi], eax
    xor eax, eax
    sub esp, 0Ch
    mov dword ptr [esp], esi
    mov dword ptr [esp+04h], 00000000h
    mov dword ptr [esp+08h], 00000100h
    call 00007FCA00F7FC45h
    add esp, 0Ch
    jmp 00007FCA00F803A2h
    lea eax, dword ptr [00438446h]
    sub esp, 08h
    mov dword ptr [esp], esi
    mov dword ptr [esp+04h], eax
    call 00007FCA00F803EBh
    add esp, 08h
    jmp 00007FCA00F803A2h
    call 00007FCA00F817E1h
    jmp 00007FCA00F803A2h
    test al, 01h
    jne 00007FCA00F803A4h
    jmp 00007FCA00F803A9h
    call 00007FCA00F88A04h
    jmp 00007FCA00F803A2h
    jmp 00007FCA00F803A2h
    jmp 00007FCA00F803A2h
    jmp 00007FCA00F803A2h
    jmp 00007FCA00F803A2h
    call 00007FCA00FA9DB5h
    xor eax, eax
    sub esp, 04h
    mov dword ptr [esp], 00000000h
    call dword ptr [004387ACh]
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    push ebx
    mov edx, dword ptr [esp+0Ch]
    mov ecx, dword ptr [esp+00h]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x386bb0x78.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x440000x490c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x387ac0x78.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x342cb0x34400d770dc4239969f53d31d70f1421e1e52False0.524115019437799data6.520587031655705IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x360000x29a30x2a0054f965dcf272f49ab9ceb827934d231aFalse0.49181547619047616data6.737563728316649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x390000xa1f00x92007f0ffc3f25ae838d746a32cabf4f8230False0.6998608732876712data7.163153579411729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x440000x490c0x4a003dc5d2c50808bdedf563e6138380b59eFalse0.5532094594594594data6.511386797952136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    KERNEL32.dllExitProcess, GetLastError, GetStdHandle
    OLEAUT32.dllSysAllocString, SysFreeString, SysStringLen, VariantClear, VariantInit
    ole32.dllCoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize
    USER32.dllGetDC, ReleaseDC
    GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, GetDeviceCaps, GetObjectW, SelectObject, SelectPalette

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:01:39:22
    Start date:25/07/2024
    Path:C:\Users\user\Desktop\LisectAVT_2403002C_59.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\LisectAVT_2403002C_59.exe"
    Imagebase:0x420000
    File size:282'121 bytes
    MD5 hash:5A14CD37A8CB00B18ADA9C2500E53E5F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:1.7%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:50.9%
      Total number of Nodes:53
      Total number of Limit Nodes:6
      execution_graph 9167 4290a0 9168 4290aa 9167->9168 9169 4290c2 9168->9169 9171 4290cf GetStdHandle 9168->9171 9172 4290cd 9168->9172 9170 429140 ExitProcess 9169->9170 9173 4290e1 9171->9173 9172->9170 9173->9172 9174 4541a0 9176 4541b9 9174->9176 9178 4541df 9174->9178 9175 4541f3 NtAllocateVirtualMemory 9177 454283 NtFreeVirtualMemory 9175->9177 9176->9175 9176->9178 9177->9178 9179 4516ec 9180 45170c 9179->9180 9181 45174d NtMapViewOfSection 9180->9181 9182 45152a 9183 4515a0 LoadLibraryW 9182->9183 9185 45169a 9183->9185 9186 451e75 9189 451a16 9186->9189 9187 451f74 9188 451b09 LoadLibraryW 9188->9189 9190 451a00 9188->9190 9189->9186 9189->9187 9189->9188 9189->9189 9191 4522b5 9192 4522d5 9191->9192 9193 4522d7 RtlAllocateHeap 9191->9193 9192->9193 9194 451b55 9195 451bd1 9194->9195 9196 451c1f LoadLibraryW 9194->9196 9195->9196 9197 451c26 9196->9197 9198 44cf95 9199 44d227 9198->9199 9202 44dc00 9199->9202 9203 44d414 9202->9203 9204 44dc19 9202->9204 9204->9203 9205 44dc50 NtAllocateVirtualMemory 9204->9205 9206 44dcda NtFreeVirtualMemory 9205->9206 9206->9203 9207 453eb0 9208 453ed0 9207->9208 9214 44f750 RtlAllocateHeap 9208->9214 9210 453ef0 9211 453faf 9210->9211 9212 453fb4 NtAllocateVirtualMemory 9210->9212 9213 454057 NtFreeVirtualMemory 9212->9213 9213->9211 9214->9210 9226 450e9d 9227 450ec3 9226->9227 9230 450edf NtAllocateVirtualMemory 9226->9230 9228 450ee4 NtAllocateVirtualMemory 9227->9228 9227->9230 9231 450f6a NtFreeVirtualMemory 9228->9231 9232 451076 NtFreeVirtualMemory 9230->9232 9231->9230 9233 4514bf 9236 4535f0 9233->9236 9235 4514cf NtOpenSection

      Executed Functions

      Function 00453EB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147nativememoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 50 453eb0-453ec4 51 453ed0-453ed9 50->51 51->51 52 453edb-453ede 51->52 53 453ee7 52->53 54 453ee0-453ee5 52->54 55 453eea-453f12 call 44f750 53->55 54->55 58 453f14-453f17 55->58 59 453f32-453f8b 55->59 60 453f20-453f30 58->60 61 454074-454086 call 4288a0 59->61 62 453f91-453f99 59->62 60->59 60->60 63 453fa0-453fa7 62->63 65 453fb4-45406e NtAllocateVirtualMemory NtFreeVirtualMemory 63->65 66 453fa9-453fad 63->66 65->61 66->63 68 453faf 66->68 68->61
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00454011
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0045406E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: ,$@
      • API String ID: 292159236-1227015840
      • Opcode ID: ee51543cf079a4f1565bb3071dafa6d0527563f34b2a52ce98db464fbff43d9b
      • Instruction ID: a639b524e35ec40364060e74fad9dd0f313b320869dc9639653be9a1c9e72422
      • Opcode Fuzzy Hash: ee51543cf079a4f1565bb3071dafa6d0527563f34b2a52ce98db464fbff43d9b
      • Instruction Fuzzy Hash: 49418CB1109704AFD710CF14CC44B5AB7E4FF85369F148A1DF9A48B2E1E3B99608CB5A
      Function 00450E9D Relevance: 6.1, APIs: 4, Instructions: 127nativememoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 70 450e9d-450ebd 71 450fa5-450fc5 70->71 72 450ec3-450ecb 70->72 73 450fc7-450fcf 71->73 74 450f90-450fa2 71->74 75 450ed0-450ed7 72->75 76 450fd0-450fd7 73->76 74->71 77 450ee4-450f85 NtAllocateVirtualMemory NtFreeVirtualMemory 75->77 78 450ed9-450edd 75->78 79 450ff0-4510a3 NtAllocateVirtualMemory NtFreeVirtualMemory 76->79 80 450fd9-450fdd 76->80 77->71 78->75 81 450edf 78->81 80->76 82 450fdf 80->82 81->71 82->74
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00450F44
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00450F7F
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: d4e6844d05af916a33e7eb6ee1ce36970ec6dff693c0702e1563679b80195ae6
      • Instruction ID: 66bfb718ad9b6d1925e4bc71df49e91d264ef2f9045d33282e714e25e8d4ab65
      • Opcode Fuzzy Hash: d4e6844d05af916a33e7eb6ee1ce36970ec6dff693c0702e1563679b80195ae6
      • Instruction Fuzzy Hash: 0D5124B5209341AFE310CF04D948B1BBBE4FB85758F14491CF6A19B2E1D7F8994C8B9A
      Function 004517F2 Relevance: 6.1, APIs: 4, Instructions: 121nativememoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 85 4517f2-4517fb 86 451821-451823 85->86 87 4517fd-45180f 85->87 89 4518d1-4518df 86->89 90 451829 86->90 88 451810-451817 87->88 92 45182e-4518cf NtAllocateVirtualMemory NtFreeVirtualMemory 88->92 93 451819-45181d 88->93 91 4518e0-4518e7 89->91 94 4518ef-451901 90->94 95 451904-4519af NtAllocateVirtualMemory NtFreeVirtualMemory 91->95 96 4518e9-4518ed 91->96 92->89 92->94 93->88 97 45181f 93->97 94->95 96->91 96->94 97->86
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0045188E
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004518C1
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00451964
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00451997
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 0170f97e60d80e7b594b5d4e6d857eba9c98f4a5a9b5ffcac1717d5ee7eb8719
      • Instruction ID: 20022012c585f40b3d9b4ca677ac7272bb5963cb8b0869c287de0da8a2fb968c
      • Opcode Fuzzy Hash: 0170f97e60d80e7b594b5d4e6d857eba9c98f4a5a9b5ffcac1717d5ee7eb8719
      • Instruction Fuzzy Hash: 584137B1209306AFE314DF04C844B2BBBE4FB85355F14492DE9A1972E0D7B8D84CCB9A
      Function 004541A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87nativememoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 100 4541a0-4541b7 101 4541df-4541e1 100->101 102 4541b9-4541ca 100->102 103 4541e3-4541e7 101->103 104 4541e9-4541f2 101->104 105 4541d0-4541d7 102->105 103->104 106 4541f3-45427e NtAllocateVirtualMemory 105->106 107 4541d9-4541dd 105->107 108 454283-4542a2 NtFreeVirtualMemory 106->108 107->101 107->105 108->103 109 4542a8 108->109 109->104
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00454252
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0045429A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: $
      • API String ID: 292159236-3993045852
      • Opcode ID: b7dcf4c39752c7e0d6ad4ad2c583505ebcf2a6781bcbd7f9ff4b4da16f93e128
      • Instruction ID: 7096391e6f04aebd0bfa7bf21c271966c32fca6df6b4790b3729ca6e9a550823
      • Opcode Fuzzy Hash: b7dcf4c39752c7e0d6ad4ad2c583505ebcf2a6781bcbd7f9ff4b4da16f93e128
      • Instruction Fuzzy Hash: B7317CB4208704AFE310CF15DC84B1BBBE8EBC5718F14492DFA949B3D0D7B599488B96
      Function 0044DC00 Relevance: 3.1, APIs: 2, Instructions: 86nativememoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 150 44dc00-44dc13 151 44dcf7-44dd00 150->151 152 44dc19-44dc32 150->152 153 44dc40-44dc43 152->153 154 44dc45-44dc49 153->154 155 44dc50-44dcd5 NtAllocateVirtualMemory 153->155 154->153 156 44dc4b 154->156 157 44dcda-44dcf1 NtFreeVirtualMemory 155->157 156->151 157->151
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0044DCAF
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0044DCF1
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: d9d473e54bbfdf49740e45b1f189529c379e81ffaf3fc7b914f511f8185136b5
      • Instruction ID: f5d744672cd4b47a295414a9215f50584185fb8e4205143f123c4d46f52d740e
      • Opcode Fuzzy Hash: d9d473e54bbfdf49740e45b1f189529c379e81ffaf3fc7b914f511f8185136b5
      • Instruction Fuzzy Hash: E4212A71209305AFE300CF14D884B1BBBE8EB89364F14891DFAA4873D0D3B59848CBA6
      Function 004516EC Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 172 4516ec-451781 call 4535f0 * 2 NtMapViewOfSection
      APIs
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 0045176C
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: SectionView
      • String ID:
      • API String ID: 1323581903-0
      • Opcode ID: 387b7006cbc5b61d7343b6dba9c0abc17e4ecb30deace3ce2358d2cdeed75ed8
      • Instruction ID: a0c6f7bc9319594c68f4c8536665ae19eb4e1580028305cf9b991822f1cedd41
      • Opcode Fuzzy Hash: 387b7006cbc5b61d7343b6dba9c0abc17e4ecb30deace3ce2358d2cdeed75ed8
      • Instruction Fuzzy Hash: 430144B03983407EE6249F00DC07F1A7BB5AB80B15F20861CF260691F6E7F169088F5A
      Function 004514BF Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 179 4514bf-4514ef call 4535f0 NtOpenSection
      APIs
      • NtOpenSection.NTDLL(?,00000004), ref: 004514DA
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: OpenSection
      • String ID:
      • API String ID: 1950954290-0
      • Opcode ID: 0fca4385432686b1ad43a480d8b7e2c381494f00f803f7209aced4f33753cebe
      • Instruction ID: e03f97419a3936fc29e2b27678858a89d097c8792bb1e414e08d4e14dde97d3c
      • Opcode Fuzzy Hash: 0fca4385432686b1ad43a480d8b7e2c381494f00f803f7209aced4f33753cebe
      • Instruction Fuzzy Hash: B8D0A7B0150240ABC71CDB54DC02D363356A7C1307F18403CF105522B3E9B0A50BCB19
      Function 004519B2 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 182 4519b2-4519e4 call 4535f0 NtClose
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: Close
      • String ID:
      • API String ID: 3535843008-0
      • Opcode ID: 4959370c8add650f5ed67964f9b22a5dcb580fa01400ab3c3bd2a70feccdd50a
      • Instruction ID: 894029653f5e8db28730808ba59c7a7eef926fa153ec7da92067ff30b1f10143
      • Opcode Fuzzy Hash: 4959370c8add650f5ed67964f9b22a5dcb580fa01400ab3c3bd2a70feccdd50a
      • Instruction Fuzzy Hash: BCD0A7711A41807FC6009B58EC014257B60AB45347704043AF891C2223E57986289E1A
      Function 00451E75 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 126COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 451e75-451e7a 1 451e7b-451f21 call 4535f0 * 3 0->1 7 451f23 1->7 8 451f69-451f6e 1->8 9 451f30-451f67 7->9 11 451f74 8->11 12 451a16-451ac7 call 4535f0 * 3 8->12 9->8 9->9 19 451b09-451b0e LoadLibraryW 12->19 20 451ac9 12->20 22 451b14-451b19 19->22 23 451a00-451a13 19->23 21 451ad0-451b07 20->21 21->19 21->21 22->0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: C%R+$C%R+$R5X;$R5X;$U)X/$U)X/$V98?$V98?
      • API String ID: 0-17140411
      • Opcode ID: dbdfa4d0774085f447d105ba59f1e6f3db0677ead718890e4b84f5eb6e92c6ef
      • Instruction ID: 3ab07a59e9dde65d82720922015e1761f2065f5f77de5410bb7de670cb63b027
      • Opcode Fuzzy Hash: dbdfa4d0774085f447d105ba59f1e6f3db0677ead718890e4b84f5eb6e92c6ef
      • Instruction Fuzzy Hash: 394182B0509341AFD704CF10DAA071BBFE1EB85746F04492DF8895B352E3B98A49CB8B
      Function 00451A16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 25 451a16-451ac7 call 4535f0 * 3 32 451b09-451b0e LoadLibraryW 25->32 33 451ac9 25->33 35 451b14-451f21 call 4535f0 * 3 32->35 36 451a00-451a13 32->36 34 451ad0-451b07 33->34 34->32 34->34 45 451f23 35->45 46 451f69-451f6e 35->46 47 451f30-451f67 45->47 46->25 49 451f74 46->49 47->46 47->47
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: C%R+$R5X;$U)X/$V98?
      • API String ID: 1029625771-2675831890
      • Opcode ID: aa2e772b57974ef3bc7f4b8a8090abd0de1adfa740adc306429d862860a4f902
      • Instruction ID: 89be5c62d716150f2314b894dfa71b9abe62d0a5c3f4ab9fda1d0bb49f2aef5d
      • Opcode Fuzzy Hash: aa2e772b57974ef3bc7f4b8a8090abd0de1adfa740adc306429d862860a4f902
      • Instruction Fuzzy Hash: 992171B0509341AFD704CF10DAA171B7FE1EB85746F14492DE88917362E3B59A49CB8B
      Function 00451B55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 110 451b55-451bcf 111 451bd1 110->111 112 451c1f-451c24 LoadLibraryW 110->112 113 451be0-451c1d 111->113 114 451c26 112->114 115 451c2b-451c46 112->115 113->112 113->113 114->115
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: pq$uw
      • API String ID: 1029625771-2542560687
      • Opcode ID: 04348893eccb383cd9feaf06dd4aefcc8c07a79208c9820b71ad7ad76f693577
      • Instruction ID: 5b97c358cdcb3e5328b5ea6bb80311cd389b27e00e9aaecb9d673ee79ab3d917
      • Opcode Fuzzy Hash: 04348893eccb383cd9feaf06dd4aefcc8c07a79208c9820b71ad7ad76f693577
      • Instruction Fuzzy Hash: 9E2164742483019BD308CF10D6A032FBBE1EFC5748F404E1DE89A8B290D779E909CB8A
      Function 004290A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 116 4290a0-4290c0 call 4291b0 call 450970 123 4290c2 116->123 124 4290c4 call 44be80 116->124 125 429140-42914c ExitProcess 123->125 127 4290c9-4290cb 124->127 128 4290cf-429128 GetStdHandle call 4289a0 call 429160 call 42a560 127->128 129 4290cd 127->129 142 42912a 128->142 143 42912c-429131 call 431790 128->143 130 42913b call 452b50 129->130 130->125 144 429133-429139 142->144 143->144 144->130
      APIs
      Strings
      • eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance, xrefs: 00429105
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: ExitProcess
      • String ID: eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance
      • API String ID: 621844428-3721107060
      • Opcode ID: 4fed506d67fe733810c5d5f7e6e094240d66be660b9bf06374b389b275dc8513
      • Instruction ID: b8e2d333bb2c02f3bd2ce33ed69efa4be0afbe4d27b1562ad077a3def95ac55a
      • Opcode Fuzzy Hash: 4fed506d67fe733810c5d5f7e6e094240d66be660b9bf06374b389b275dc8513
      • Instruction Fuzzy Hash: CA118270A08236D6E6007B77B90E23A7BB49B55315FA0452FE8C642146EB3C4C66929F
      Function 0045152A Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 158 45152a-45159e 159 4515a0-4515d1 158->159 160 4515d3-4515d8 158->160 159->159 159->160 162 4515df-451653 160->162 163 4515da 160->163 164 451655 162->164 165 451693-451698 LoadLibraryW 162->165 163->162 166 451660-451691 164->166 167 45169f-4516b2 165->167 168 45169a 165->168 166->165 166->166 168->167
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 7926e363f8d5154f18822cbecbccec5737325242957d960b05aaba0fd921b63e
      • Instruction ID: 50555c7a5f96b5c33f5f1de3583bae19e3f3db2182e0b26d0e362c9f8bcdd8d2
      • Opcode Fuzzy Hash: 7926e363f8d5154f18822cbecbccec5737325242957d960b05aaba0fd921b63e
      • Instruction Fuzzy Hash: 1D4105B0108341ABD708CF10CAA471FBBE1EFC5B08F558A1CE8951B791D3B9D949DB8A
      Function 004522B5 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 169 4522b5-4522d3 170 4522d5 169->170 171 4522d7-45235f RtlAllocateHeap 169->171 170->171
      APIs
      • RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 0045231C
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: 57e3e6653c3163a018ba592a2c1f60a58ff147b371dafed949e6400c078f8e2d
      • Instruction ID: 9838577ed0fddb13864eb307c4de01a057f205660079202186d9c46c2614b128
      • Opcode Fuzzy Hash: 57e3e6653c3163a018ba592a2c1f60a58ff147b371dafed949e6400c078f8e2d
      • Instruction Fuzzy Hash: 6011E032A005249FC718CF68E951A9AB3F1BB88754F16063DE912E73A1D7B49C45CB88
      Function 0044F750 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 178 44f750-44f7a9 RtlAllocateHeap
      APIs
      • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0044F79F
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: a94bed3d4e45268db3bf54130f042ced5cab18c8ceb0097890b9c4784c2675cf
      • Instruction ID: e0bbf6eb276d3df9b30a2adddeacf57a0c5c79c8f6467f7e8ab95158ccd04a3a
      • Opcode Fuzzy Hash: a94bed3d4e45268db3bf54130f042ced5cab18c8ceb0097890b9c4784c2675cf
      • Instruction Fuzzy Hash: DDF0A072B146105FD304DB29ED1679A77E2ABD4B00F01C83DE484DB258D6789C9ADB8A

      Non-executed Functions

      Function 00448090 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 210COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: CapsDeviceObjectSelect
      • String ID: $ E$$E$,E$0E$8E$<E$DE$HE$PE$TE$\E$`E$hE$lE$tE$xE$E$E
      • API String ID: 4288853314-587768228
      • Opcode ID: 9990628e006af486f87e91f253ed4ee10fd8a2731291e608ece7e49950507b54
      • Instruction ID: 73ee1a3a70d1bf15d89eef8d4fea74acf0b65345be28ca82e9cf2cc348bb5596
      • Opcode Fuzzy Hash: 9990628e006af486f87e91f253ed4ee10fd8a2731291e608ece7e49950507b54
      • Instruction Fuzzy Hash: 8CD172B45183808FD3B8DF25D58869ABBF0BBC9306F50892ED89957352CB749548CF4B
      Function 00429C20 Relevance: 15.4, Strings: 12, Instructions: 435COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: !=$?$0$01$C\CP$S-M/$SDA^$U~E$V%T'$X)N+$Y!G#$ZW$tFsw
      • API String ID: 0-3833782745
      • Opcode ID: 2b119f5af66b1e145666ecf2d5f2224853f35e9f5bfc0224dd350c6d6fe491f4
      • Instruction ID: 9cb7ab20d2b45c331bfe7f6074aabf554e776c893b5649db1fce7836090ace91
      • Opcode Fuzzy Hash: 2b119f5af66b1e145666ecf2d5f2224853f35e9f5bfc0224dd350c6d6fe491f4
      • Instruction Fuzzy Hash: AD0202B02083828BE324CF15D494B6FBBE1BBC6348F544D1DE5D58B292D779D809CB96
      Function 004217A0 Relevance: 15.4, Strings: 12, Instructions: 417COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: .$.$0$W"o$[$false$null$true${$Tq$lq$mo
      • API String ID: 0-714744601
      • Opcode ID: aee2b71ad17281dadb7543e6231566bf757ae500564ceda4fd686dcfbc23e27f
      • Instruction ID: 63eabc5cbb4db5ff1d1881713d933b5cd18dc7c76dc93031b9d851ee13263de5
      • Opcode Fuzzy Hash: aee2b71ad17281dadb7543e6231566bf757ae500564ceda4fd686dcfbc23e27f
      • Instruction Fuzzy Hash: 80D104B4B043259BD7106F21F88572B7AE4AF60348F98443FE88646362EB7DD905C75E
      Function 0044513A Relevance: 14.9, APIs: 4, Strings: 4, Instructions: 903nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00445847
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0044587D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: QQch$eL"M$qFvs$}Nmk
      • API String ID: 292159236-392577269
      • Opcode ID: b6a6f6ca83679bf1004db19b2fcc05564a0d85aa99d186fefa2c64d8d9dc55ff
      • Instruction ID: 3f253dc82a3387b7d354bf514e9d108a811aef7d74601382e2badca5b38dd706
      • Opcode Fuzzy Hash: b6a6f6ca83679bf1004db19b2fcc05564a0d85aa99d186fefa2c64d8d9dc55ff
      • Instruction Fuzzy Hash: 94629D70204B418FE724CF29C490722FBF2FF5A314F28865ED4968BB92D779A845CB95
      Function 004500A0 Relevance: 13.9, APIs: 9, Instructions: 433nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00100000,00003000,00000004), ref: 004500F1
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,?,00003000,00000040), ref: 00450246
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 00450290
      • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 004502E7
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000004), ref: 00450310
      • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0045068E
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 5229258d099670e9b6b33425a7ad2e9ce32f0d7e2be112f2ebd022c70c916755
      • Instruction ID: 2237eb5fe31bb7875acac41b80d59902101da078e13966981e87b5ff0cbdc3ac
      • Opcode Fuzzy Hash: 5229258d099670e9b6b33425a7ad2e9ce32f0d7e2be112f2ebd022c70c916755
      • Instruction Fuzzy Hash: C3F18B752083519FD714CF14C840B5FBBE4BBC9314F148A2DFAA58B392D7B99848CB96
      Function 0043B6E2 Relevance: 11.1, APIs: 7, Instructions: 623COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 15297ca9835330ea6bc3818ea20a999b2ba37bd4fd3848d2da4a22ce6d2b154e
      • Instruction ID: bbbc0587654afced6859e1bdeff5545bb769c5d16a8c4cce42dc6b42d79391cc
      • Opcode Fuzzy Hash: 15297ca9835330ea6bc3818ea20a999b2ba37bd4fd3848d2da4a22ce6d2b154e
      • Instruction Fuzzy Hash: F1322631608351DFC715CF28C890B6ABBE1FF8A305F08856EE59587392D738E945CB9A
      Function 0043F212 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 576nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043F497
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0043F4CD
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043F613
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0043F64B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: [tDJ$kNDW
      • API String ID: 292159236-3823844181
      • Opcode ID: def622a497a2f837ca944f1529aed12897312bd5c5a1827c8d87f84632ed74cf
      • Instruction ID: c943999bb2d71c7519240cb091b561ed8e3fbbc3a6dd0d2c2b54914554455ec6
      • Opcode Fuzzy Hash: def622a497a2f837ca944f1529aed12897312bd5c5a1827c8d87f84632ed74cf
      • Instruction Fuzzy Hash: 2B1269B1A00B018FD724CF25D880BA3B7E5BB59314F145A2EE49687BA1D778F849CB49
      Function 0043BF40 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 223COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0043C064
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0043C08F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: !]!_$#U+W$#r8$+Y;[
      • API String ID: 237503144-3298446581
      • Opcode ID: a006c08c583a39893310f61dc63e8c2cd982578091d191051e6ddd43c6f9ab3a
      • Instruction ID: 32f761041b773db48b5698032fd35f9bab71f1e6cda05d58541548135fec02e4
      • Opcode Fuzzy Hash: a006c08c583a39893310f61dc63e8c2cd982578091d191051e6ddd43c6f9ab3a
      • Instruction Fuzzy Hash: 1C719D70108381CBE7248F15C8A1BABB7F1EF89354F04591EF491AB391E3B89945CB9B
      Function 0043F930 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 345nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0043F9D1
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043FA0D
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0043FAC9
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0043FB05
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: c'nc
      • API String ID: 292159236-437297503
      • Opcode ID: 5f78aa56b16b3c75c5436f00e0c5e3961a52bc7ed8d86849476b88ef73258572
      • Instruction ID: 1f84b9c49de763e209cd154c9c51bb38cb87cdc15a3a8daca50024b0d676054e
      • Opcode Fuzzy Hash: 5f78aa56b16b3c75c5436f00e0c5e3961a52bc7ed8d86849476b88ef73258572
      • Instruction Fuzzy Hash: BBC1C1B1A083119FE710CF14C89076BB7E0FF89754F18592EE9D59B391E3789908CB9A
      Function 00454B90 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00454C34
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00454C7B
      • NtAllocateVirtualMemory.NTDLL(000000FF,000000B8,00000000,0000BA00,00003000,00000040), ref: 00454D3B
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00454D87
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: R-,T
      • API String ID: 292159236-635581381
      • Opcode ID: 68c415aea074222886b62530b48727e5eee6f2f41f01ec057f909d6f4f693f6e
      • Instruction ID: 22f674d1dc5d173016e882caa7cd065a2b4a8fabf47890deb8a05053020909e7
      • Opcode Fuzzy Hash: 68c415aea074222886b62530b48727e5eee6f2f41f01ec057f909d6f4f693f6e
      • Instruction Fuzzy Hash: 99C1D1752083519FC714CF58C880A2BFBE1BFC8319F18861DE9954B3A2D778D849CB9A
      Function 00436EA2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00436F14
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00436F44
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: |[H
      • API String ID: 292159236-2212627739
      • Opcode ID: 670499ae543877a00f2525136b0e56eb3e5ddbac2a6324f215504989bb50942d
      • Instruction ID: dd9c478caf96e67693738f47ac52d68735b3153c59e181cd593e89a68097bf9d
      • Opcode Fuzzy Hash: 670499ae543877a00f2525136b0e56eb3e5ddbac2a6324f215504989bb50942d
      • Instruction Fuzzy Hash: 5F4117B5201B05AFD324CF10D944B57B7E8EB08714F148A2DE5A68BAA0D7B8E449CB99
      Function 0044F880 Relevance: 7.7, APIs: 5, Instructions: 200memorynativeCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0044F925
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0044F963
      • RtlAllocateHeap.NTDLL(?,00000000,00000000), ref: 0044F9C1
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0044FA5F
      • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000010,00008000), ref: 0044FA9B
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$Allocate$Free$Heap
      • String ID:
      • API String ID: 996896184-0
      • Opcode ID: de3958ee12a1cdb8cf59fa87605117d9229c34e57cf369aa6d218dc260d8004a
      • Instruction ID: da3ab249ec03cf796af3fddd38ed507e3ac1516b9e7a083f4b503c02e47b262b
      • Opcode Fuzzy Hash: de3958ee12a1cdb8cf59fa87605117d9229c34e57cf369aa6d218dc260d8004a
      • Instruction Fuzzy Hash: D5615DB1209741AFE314CF14C844B5BBBE5FBC5714F148A2DF5949B390D7B89848CB9A
      Function 0043B06E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 216COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: FE33$IMB@
      • API String ID: 0-789939345
      • Opcode ID: dda54a4df32cfd4b17432a4797eb31ba39128e4bf7a6ebcb6983fdc54c37366e
      • Instruction ID: bc125f71a0e7681220481b4c618404e488a4fc4935eacdc480dcd16ba3d0aaba
      • Opcode Fuzzy Hash: dda54a4df32cfd4b17432a4797eb31ba39128e4bf7a6ebcb6983fdc54c37366e
      • Instruction Fuzzy Hash: DE7156B02083849FE724CF24D994B5FBBE0FB85354F40591EF6998B391D778980ACB96
      Function 00441B6B Relevance: 6.7, APIs: 4, Instructions: 677COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,7FCC7DCA,00000009,00000000,00000000,?), ref: 00441CA3
      • RtlExpandEnvironmentStrings.NTDLL(00000000,7FCC7DCA,00000009,00000000,?,?), ref: 00441CD2
      • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,00000000,?), ref: 004420F3
      • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,00000009,00000000,?,?), ref: 0044211F
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID:
      • API String ID: 237503144-0
      • Opcode ID: a5b3fe2fe7775f59ff3f2ff008a91f5b68c180f38ee2dc05771bbef35ec4fb5b
      • Instruction ID: cf4361bf7b92ef6fe1f7eae76113896cdda5ed7d1730a28fc1fd71cd1aaf4092
      • Opcode Fuzzy Hash: a5b3fe2fe7775f59ff3f2ff008a91f5b68c180f38ee2dc05771bbef35ec4fb5b
      • Instruction Fuzzy Hash: 7C4246B45006019FE3248F29C591B23BBF1FF4A314F244A4DE8D68B7A5D379A886CBD5
      Function 00442C15 Relevance: 6.5, Strings: 4, Instructions: 1457COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: %'te$JJ;@$3$?
      • API String ID: 0-1321762328
      • Opcode ID: 7dddb46a1c6664dd0e92744001123339764e2b2dd42d8430a6117edb0160af65
      • Instruction ID: 2f1bc64ca61fdbe5af3520c023d1425e45bbd1056a7739a1030e8493ca89b2dc
      • Opcode Fuzzy Hash: 7dddb46a1c6664dd0e92744001123339764e2b2dd42d8430a6117edb0160af65
      • Instruction Fuzzy Hash: 40B26F705046828FE329CF29C090B62FBF1BF5A305F28859DD4D68B392C779E946CB94
      Function 00442C0D Relevance: 6.4, Strings: 4, Instructions: 1357COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: %'te$JJ;@$3$?
      • API String ID: 0-1321762328
      • Opcode ID: 2447c1ab5243b8bdc266d110c67951c78bfb4ca046b28f10a7fa57b64db15a0a
      • Instruction ID: f5983ccc63ef8b88cc2c6726b53beb1087d1e371e7c02ee6bb9020373ede1a03
      • Opcode Fuzzy Hash: 2447c1ab5243b8bdc266d110c67951c78bfb4ca046b28f10a7fa57b64db15a0a
      • Instruction Fuzzy Hash: ECB24E705056828FE329CF28C090B52FBF1BF5A305F28859DD4D68F392C779A986CB94
      Function 00454820 Relevance: 6.3, APIs: 4, Instructions: 271nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004548C4
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00454909
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 004549C6
      • NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 00454A0B
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: a1eefda8b8f5cb173f30d9c04f90dad396d24378501aebeec1304ddcf2e43ee5
      • Instruction ID: 6c370c893160dd207145468181eab3ada412ec6600b6d6160839d6aa876265e8
      • Opcode Fuzzy Hash: a1eefda8b8f5cb173f30d9c04f90dad396d24378501aebeec1304ddcf2e43ee5
      • Instruction Fuzzy Hash: 40A149742083069FD314CF18C880B2BB7E5EFC8759F144A1DE9948B3A1D774E949CB5A
      Function 00454F90 Relevance: 6.3, APIs: 4, Instructions: 267nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0045506F
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004550B5
        • Part of subcall function 0044F750: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0044F79F
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 00455179
      • NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 004551C2
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$Allocate$Free$Heap
      • String ID:
      • API String ID: 996896184-0
      • Opcode ID: dd9cc1b30fe6ebfa00f60bba5f82de7dc4f27b27cda7c1602cc67b082a2b6748
      • Instruction ID: 516510f89062ed6290914fe05cb57bc0d5e1159b2c979ee7af32b74bb02a691d
      • Opcode Fuzzy Hash: dd9cc1b30fe6ebfa00f60bba5f82de7dc4f27b27cda7c1602cc67b082a2b6748
      • Instruction Fuzzy Hash: 0B91F0702097519BD310CF18D85073BBBE4EF85315F188A6DF8A587392E3B9E849CB96
      Function 00454530 Relevance: 6.2, APIs: 4, Instructions: 229nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004545D1
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00454619
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 004546D5
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0045471F
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: ecb18601701307a273b687c47e3b42a7bb1791352916cde1b703703d283e7b09
      • Instruction ID: c61ac79fb1f3762db7005e7e21fd2540ad3e0e194cddb0826d45a0609e0954b5
      • Opcode Fuzzy Hash: ecb18601701307a273b687c47e3b42a7bb1791352916cde1b703703d283e7b09
      • Instruction Fuzzy Hash: 1D8160742083069FD710DF18C880B2BB7E5EFC9754F14452DF9949B3A1E7789948CB9A
      Function 0044FD90 Relevance: 6.1, APIs: 4, Instructions: 147nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0044FE51
      • NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000000,00008000), ref: 0044FE8F
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000010,00000000,0000BA00,00003000,00000040), ref: 0044FF2F
      • NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 0044FF63
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 261fc6d89860c99bfc6a694d4da44158b9b0ba047d93ae6fd4da51762707d01c
      • Instruction ID: c59f161a241e30040640c0000f7e7f28804ddb37b6682b9c9004727524fbfa9f
      • Opcode Fuzzy Hash: 261fc6d89860c99bfc6a694d4da44158b9b0ba047d93ae6fd4da51762707d01c
      • Instruction Fuzzy Hash: A5512CB0209705AFE314CF04C844B1BBBE8EB85754F14892EF5A58B3E1D7B9984CCB96
      Function 00437B38 Relevance: 6.1, APIs: 4, Instructions: 122nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00437BB8
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00437BEB
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 4a670a63c7d766b31729b0810c6b0726cb8ed5fbc389069a13fcdacdb9a4c7ec
      • Instruction ID: 0a281ed3ac68af4a4607dc76c7149d7a4d496625142afb286d02ebb8902c8665
      • Opcode Fuzzy Hash: 4a670a63c7d766b31729b0810c6b0726cb8ed5fbc389069a13fcdacdb9a4c7ec
      • Instruction Fuzzy Hash: 054114B0201B059FE324CF14C944B22B7E8EF08714F149A2DD2A78BBA1D7B4E449CB99
      Function 0043AAF0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 338nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0043AE41
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043AE75
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: de
      • API String ID: 292159236-2106599819
      • Opcode ID: b092913d316d80c0bde9336f7456adafa83d31a5aec17525d498a403695aec7f
      • Instruction ID: 176b7e03286a5c8193389325496955fd793a1df71c584b452d57a76725a49cb0
      • Opcode Fuzzy Hash: b092913d316d80c0bde9336f7456adafa83d31a5aec17525d498a403695aec7f
      • Instruction Fuzzy Hash: 9491BCB16443019BD710DF14C892B6BB3E5EF99324F08592DE9D18B391E378E918C79B
      Function 00424820 Relevance: 5.5, Strings: 4, Instructions: 508COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: )$IDAT$IEND$IHDR
      • API String ID: 0-3181356877
      • Opcode ID: c2682c649ce539fa86cb11bc5dd28ea28ba8a84b6dc2eb0450b2c77e8a92cae5
      • Instruction ID: 3516e37c1318d92b557fc32c80320a5d36cdfe118583e77e74f31a777e32a7d6
      • Opcode Fuzzy Hash: c2682c649ce539fa86cb11bc5dd28ea28ba8a84b6dc2eb0450b2c77e8a92cae5
      • Instruction Fuzzy Hash: 54122271A043608FD714DF28EC8076B7BE0EBC5314F85856EE9858B392D778D909CB96
      Function 00437E5F Relevance: 5.5, Strings: 4, Instructions: 501COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: SW$azF$pq$ihW
      • API String ID: 0-579171305
      • Opcode ID: c74285619a7bf6b8430b9f844d9810856dc9084933ae1bada25df92e4de84ced
      • Instruction ID: 68d1dd2727efa7317f3d628defb1902fd1ba62d13566e9d0703a0126c10511e2
      • Opcode Fuzzy Hash: c74285619a7bf6b8430b9f844d9810856dc9084933ae1bada25df92e4de84ced
      • Instruction Fuzzy Hash: E8121FB45093819BE708DF11D5A1B5FBBF2BBCA708F14891CE4D54B395C73A8909CB8A
      Function 0043C4BB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043C74F
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043C797
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: ba
      • API String ID: 292159236-749160980
      • Opcode ID: 42fe317ec0008d227838f936d24be1f7f172a9bda5c82dfa25b5fcd560258eae
      • Instruction ID: 45a1d87f348f7c4f14db7e86cdd2a7a8b1f90af6bc88c687d0640b82ebac1bb8
      • Opcode Fuzzy Hash: 42fe317ec0008d227838f936d24be1f7f172a9bda5c82dfa25b5fcd560258eae
      • Instruction Fuzzy Hash: 286122B01083819FD364CF04C895B9BBBE5BBC9308F148D1DE5E98B291CBB99509CF96
      Function 004543C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004544E3
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0045451F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: @
      • API String ID: 292159236-2766056989
      • Opcode ID: 27544c40d488caf69b147dab382a8028766dadbcc73d0b81850befc0efb61d76
      • Instruction ID: 69cdea0fa370d2d6c5c6e3a470ef5bef4064c2958c024cb120c6b18500eee5cb
      • Opcode Fuzzy Hash: 27544c40d488caf69b147dab382a8028766dadbcc73d0b81850befc0efb61d76
      • Instruction Fuzzy Hash: C4315BB1509704ABD300CF14C840B5BBBE9FFC5368F048A2DF9949B390D7B499488B9A
      Function 0043A8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0043A98F
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043A9DF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: ,
      • API String ID: 292159236-3772416878
      • Opcode ID: ecb0512cb40364fe0f1229586b6143f97107a9b8cb26a0c6d0dbcd3813cebc0a
      • Instruction ID: 6c3520e3c833b60f0e6187a6f6fb17e41020ab49e5dc2708e05df4029ff9f128
      • Opcode Fuzzy Hash: ecb0512cb40364fe0f1229586b6143f97107a9b8cb26a0c6d0dbcd3813cebc0a
      • Instruction Fuzzy Hash: 1E2127B1208305AFE310CF15DC44B2BBBE9FB89764F14891DF69497390D3B598088B97
      Function 004542B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00454362
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004543AA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: $
      • API String ID: 292159236-3993045852
      • Opcode ID: 88fba1436b3cfbe8184a46cb4dc8c14ed5b139754e42723975e4eebec5c6d6f1
      • Instruction ID: 2be375b18b358059ab5dbb6e85b7e91e52b87ca10bee98a95772c88b09494bbe
      • Opcode Fuzzy Hash: 88fba1436b3cfbe8184a46cb4dc8c14ed5b139754e42723975e4eebec5c6d6f1
      • Instruction Fuzzy Hash: 82317C70209315AFE310CF14DC80B1BBBE8EBC5754F14491DFA949B3D0E3B5A9488B9A
      Function 004363BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00436454
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00436485
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID: F
      • API String ID: 292159236-3458207348
      • Opcode ID: 391ecb900d4dad424ac79db39234135346de4d80c2637fb95bde24badb517c9d
      • Instruction ID: 8ad394aba031968e553bd8ac57dfcbaa5012c3e9b0572add291d6b5a6e6f574b
      • Opcode Fuzzy Hash: 391ecb900d4dad424ac79db39234135346de4d80c2637fb95bde24badb517c9d
      • Instruction Fuzzy Hash: 182149B0209701AFD310CF04D944B1ABBE8EB89358F04891CF5A5973A1D7B8E509CB9B
      Function 00432823 Relevance: 3.5, APIs: 2, Instructions: 492COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00432DAE
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,?,?,?), ref: 00432DF9
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID:
      • API String ID: 237503144-0
      • Opcode ID: be33e8fa79949cb69805faefaf04438b02f84c02410b964089e20784b9cb36af
      • Instruction ID: 2a4aca400083a9637408709778f15292795e629336d0abfa781a7049594eb99a
      • Opcode Fuzzy Hash: be33e8fa79949cb69805faefaf04438b02f84c02410b964089e20784b9cb36af
      • Instruction Fuzzy Hash: DF124A71204B408FE325CF24C995BE7B7E2FF89304F58492DD4AA8B292D77AB815CB45
      Function 00425450 Relevance: 3.4, Strings: 2, Instructions: 882COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: 0$8
      • API String ID: 0-46163386
      • Opcode ID: ecb6591a05061d8a07e6223c0595c225d98336b3dc65cf0af0c0def4fa866688
      • Instruction ID: 3c8865e2f5e7472000e0e94f65d231ed27a534a989194ba3061545443690c095
      • Opcode Fuzzy Hash: ecb6591a05061d8a07e6223c0595c225d98336b3dc65cf0af0c0def4fa866688
      • Instruction Fuzzy Hash: BE828A716097509FD724CF18D88079BBBE2BF88314F48892EF9898B391D379D944CB96
      Function 00444EE6 Relevance: 3.2, APIs: 2, Instructions: 151COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0dfd056516d040457db339f336a772d07e30278b663ac2f790e85dbe269c0d91
      • Instruction ID: f8216604b98ad2a7f4c42f9df0e2476e00cc753f7f28be24df6981a0bc7fb782
      • Opcode Fuzzy Hash: 0dfd056516d040457db339f336a772d07e30278b663ac2f790e85dbe269c0d91
      • Instruction Fuzzy Hash: 3B417B70100B419FE365CF29C890B22BBE1FF4A715F244A1CE5E68B791D7B5B809CB99
      Function 0043C3B8 Relevance: 3.1, APIs: 2, Instructions: 134nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043C564
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043C5A6
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 07609b3e36e76a6612d9a4c90fcd0636a8167da23f513475b8e226b9878108ba
      • Instruction ID: d2d0658d0f2d671af7baa53fe471c8cc5bf65c8afeb80fa78bf37da946ba2613
      • Opcode Fuzzy Hash: 07609b3e36e76a6612d9a4c90fcd0636a8167da23f513475b8e226b9878108ba
      • Instruction Fuzzy Hash: 965103B42093819FE324CF05D990BAABBE4FB89304F04991DE1968B391D7B49509CF97
      Function 0044FB40 Relevance: 3.1, APIs: 2, Instructions: 106nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0044FC4F
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0044FC8C
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: c100127afbc69541705293a37aa608ac986051270e585bb6c84487852fc23358
      • Instruction ID: 9378de66723976db993607706e12cf2ea78e4b803ed6f713b500a1a5a410d1d5
      • Opcode Fuzzy Hash: c100127afbc69541705293a37aa608ac986051270e585bb6c84487852fc23358
      • Instruction Fuzzy Hash: F1314CB0208345AFE300CF15C854B1BBBE4FB85358F14892DE4948B3D0D7B99949CB9A
      Function 004415A3 Relevance: 3.1, APIs: 2, Instructions: 91nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00441944
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0044197B
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 38f2e8d727a4e19bcec7a28c38d001bb5639bff274a4810476708f6a1d5d3acf
      • Instruction ID: 4745ccc3bfd58249c184748f4eea301777cdb84eba3c0921a900c1fa51f6ca3b
      • Opcode Fuzzy Hash: 38f2e8d727a4e19bcec7a28c38d001bb5639bff274a4810476708f6a1d5d3acf
      • Instruction Fuzzy Hash: 5C3125B4211B019FE328CF28DD94B62B7E9FF49701F14891DE2A2877A0E7B4E444CB59
      Function 00454090 Relevance: 3.1, APIs: 2, Instructions: 85nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00454133
      • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00454177
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: cbe258848d6d14cab38a57efb301f1a7e21763e75946cc5f64a882415f8f5c70
      • Instruction ID: 5b832a752327bdd4d13f8f9ef89d088fe01b35d38e2642c726bcbebe6139af54
      • Opcode Fuzzy Hash: cbe258848d6d14cab38a57efb301f1a7e21763e75946cc5f64a882415f8f5c70
      • Instruction Fuzzy Hash: FF316CB1209705AFD700CF04DC44B5BBBE8EB85364F04861DF9A49B3D1E7B49948CB96
      Function 00439B1C Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00439BC7
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00439BF6
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 1fcc93b35f13d342b78ed06a910449a374ecc0d11854e4de196a41f7e4e8488f
      • Instruction ID: e8f80e1974ac364a1664c4f33361bec74758d9012d898ee10721ac21c63ab581
      • Opcode Fuzzy Hash: 1fcc93b35f13d342b78ed06a910449a374ecc0d11854e4de196a41f7e4e8488f
      • Instruction Fuzzy Hash: E1313EB1A1160A9FDB04CF94D884BAEB7B4FF08714F144528E611E7390D7B4A944CB69
      Function 0043E3B0 Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043E44E
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0043E488
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 1b39de26a304ee64d594e33999e5b2d83118fcaa16af59266fb3360deb937a32
      • Instruction ID: 69c342c0575eef560d8ca3960841f0e3c738437bc103c0827632d2677cec9708
      • Opcode Fuzzy Hash: 1b39de26a304ee64d594e33999e5b2d83118fcaa16af59266fb3360deb937a32
      • Instruction Fuzzy Hash: 982122B5201B409FD324CF25C984B53B7E4FB48318F14892DE6AA87BA0D7B4F849CB59
      Function 00433B44 Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00433C30
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00433C70
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 3cceb2fceea724bc7fbc3b72664632e9c8871bd9ac53cbcd277be707a6c4e39d
      • Instruction ID: fa81cbfcbc5ed1093bc007b9b220220acadaad9a421ab25b53e88e9e60edb2ad
      • Opcode Fuzzy Hash: 3cceb2fceea724bc7fbc3b72664632e9c8871bd9ac53cbcd277be707a6c4e39d
      • Instruction Fuzzy Hash: F3315A70241B009FD768CF28D890B97B7F5FB48311F04492CE2AA87BA1DB75B415CB49
      Function 0044FF90 Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00450043
      • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00450082
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 8931c95348d77fba26a3d64d9a022b542629babc1f32cbf0cec4e7b6a95f214e
      • Instruction ID: a7486b475b7a4ce4afd16b5b75390942807c824e788d3a47509f5c20dc5b475a
      • Opcode Fuzzy Hash: 8931c95348d77fba26a3d64d9a022b542629babc1f32cbf0cec4e7b6a95f214e
      • Instruction Fuzzy Hash: 2A215EB4209305AFE310CF14D884B1BBBE8EF85764F14892DF99597390D3B5D848CBA6
      Function 004371B9 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043742A
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00437459
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 89245b1d34767e4b065212084a95c19cc86d3ba4eff418780a49d34c17febfb0
      • Instruction ID: 505014db307cc105d5266f8288e88b3d7b598ba93793b0ef2c4209a0fc4ac18e
      • Opcode Fuzzy Hash: 89245b1d34767e4b065212084a95c19cc86d3ba4eff418780a49d34c17febfb0
      • Instruction Fuzzy Hash: 702125B1205B049FE724CF24D944B12B7E4EB08715F148A2CE1A6C7BA1E7B4E908CB59
      Function 0043E4F2 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043E5BA
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0043E5F5
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: cd29de6f0c9e5e36d21b436b3c75d0d21049e228bb069623aeedb5a70b64b01d
      • Instruction ID: 6bb6ac43b2362f6cb89480e8b1e1e0781c4dbb9761ee8a1568fdfd731d778c9a
      • Opcode Fuzzy Hash: cd29de6f0c9e5e36d21b436b3c75d0d21049e228bb069623aeedb5a70b64b01d
      • Instruction Fuzzy Hash: 593108B1215B449FE764CF28D884B93B7E5FB08304F04491CD2AB87691EBB4B444CF55
      Function 0043418B Relevance: 3.1, APIs: 2, Instructions: 75nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043438D
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004343E6
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: fe13f1486e9e30fdcda400a6401c44a98cbe61fbbedd4e610abb9ed40cf7ece7
      • Instruction ID: df7713d3081673be833ad542633c955dddeac3459cd279a281fc97e4a95f6a0f
      • Opcode Fuzzy Hash: fe13f1486e9e30fdcda400a6401c44a98cbe61fbbedd4e610abb9ed40cf7ece7
      • Instruction Fuzzy Hash: 04214B71341B019FD364CF24C845BA7B7E8FB4A320F141A1DE6AA876D0E7B4B409CB5A
      Function 0044FCA0 Relevance: 3.1, APIs: 2, Instructions: 70nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0044FD41
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0044FD71
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 6136563f6b09bf37aa30a82e63a2a3b78d7172a79fe17e7122a1bf2206bebcc0
      • Instruction ID: f37ee77b88271169c84660aa95d02d48e3e3963fd3adc1b5022bb6a1ce930f7d
      • Opcode Fuzzy Hash: 6136563f6b09bf37aa30a82e63a2a3b78d7172a79fe17e7122a1bf2206bebcc0
      • Instruction Fuzzy Hash: DD214DB1209705AFE310CF05D884B1BBBE8FB85754F14492DF5958B3A0D7B99848CB9A
      Function 00436010 Relevance: 3.1, APIs: 2, Instructions: 69nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004360AD
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004360DF
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: be1075f382c5ec336627f4a135436f21e844bc7a50813fec96ade01e26181c2b
      • Instruction ID: 3e6277a57dbba939c1de850609c4e2a763e462d6590e43c0307e7bf9c45d819f
      • Opcode Fuzzy Hash: be1075f382c5ec336627f4a135436f21e844bc7a50813fec96ade01e26181c2b
      • Instruction Fuzzy Hash: 19215BB0209705ABD304CF14DD44B1BBBE8EB89764F14892DF9A4873D0E3B59848CB97
      Function 004390C1 Relevance: 3.1, APIs: 2, Instructions: 69nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00439154
      • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043918D
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: ea3e56404ec9217eeaa539eb0b236257263bca7a33cfa0400fd044dc3b029cb3
      • Instruction ID: d938b9be882eb8dda936ac153555b326942aa81f2aab722b6a1215448faf7e69
      • Opcode Fuzzy Hash: ea3e56404ec9217eeaa539eb0b236257263bca7a33cfa0400fd044dc3b029cb3
      • Instruction Fuzzy Hash: 582109B02097459FE304CF04C944B6AB7E8FB88318F144A1DE696973A0D7B8D9498B9B
      Function 00444FDC Relevance: 3.1, APIs: 2, Instructions: 55nativememoryCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0044503A
      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00445072
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateFree
      • String ID:
      • API String ID: 292159236-0
      • Opcode ID: 67a5e22a36dba9575be08c608b90349cc8ef3c6d491b10b145eb0c68078906af
      • Instruction ID: 60639daa1ac0f3185877348681152fd9a06bcffd0982bc86d5935c3bae5d06e0
      • Opcode Fuzzy Hash: 67a5e22a36dba9575be08c608b90349cc8ef3c6d491b10b145eb0c68078906af
      • Instruction Fuzzy Hash: 2E1167B0244B05AFE360CF24C908B52BBE5FB05718F14891CE6A68BAD1E7B4B404CB55
      Function 0042A7C0 Relevance: 3.0, Strings: 2, Instructions: 534COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: `'F$b%F
      • API String ID: 0-3364821145
      • Opcode ID: 5588ad89d68e7356c9efc575715319ac2903567fd25bfdce2ae623f1b00b7e98
      • Instruction ID: 27b08c945643a9a04c9fbd33d41706e03bdce2c9924e87cfeda78875742753f9
      • Opcode Fuzzy Hash: 5588ad89d68e7356c9efc575715319ac2903567fd25bfdce2ae623f1b00b7e98
      • Instruction Fuzzy Hash: 1322EEB0108781CFC311CF26E490662BFF1AB57315B59859AC8E54B7A3D338ED46CB9A
      Function 0043E960 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: Y[$]\_
      • API String ID: 0-3803755346
      • Opcode ID: 1101922c18d238547f3775dafd49a3070d8ad6f1385fb3411ca4147beec849ba
      • Instruction ID: c45178d6e354c956e2dfc057329629062ba9e514e71a9483ea8e6740e528ba56
      • Opcode Fuzzy Hash: 1101922c18d238547f3775dafd49a3070d8ad6f1385fb3411ca4147beec849ba
      • Instruction Fuzzy Hash: 349166B01093418BD724DF16C89176BBBF0FF86364F149A1DE4928B391E378D909CB9A
      Function 00421000 Relevance: 2.7, Strings: 2, Instructions: 244COMMON
      Download Yara Rule
      Strings
      • , xrefs: 00421206
      • JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ, xrefs: 004211C9
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: $JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ
      • API String ID: 0-3945200152
      • Opcode ID: d4a726cc20d06f6ad8cd325ba71d872ab80bca63034ce73563d4e7fdfc811d9d
      • Instruction ID: 7102a8527ac81d466b4d8eed8b6ac3fa78dd8fb317d3a18b5253febd96e5ae56
      • Opcode Fuzzy Hash: d4a726cc20d06f6ad8cd325ba71d872ab80bca63034ce73563d4e7fdfc811d9d
      • Instruction Fuzzy Hash: 8D914C70B087A18FE324CE15D450367BBE2ABA4300F98C92FE5CA477E2D23D9849C785
      Function 00443DC0 Relevance: 1.9, Strings: 1, Instructions: 693COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: khgn
      • API String ID: 0-185697465
      • Opcode ID: e45cfbffc5e5627637b8bf0dabd2b57bf8902eb122849aea0c2bf85cc89cddd9
      • Instruction ID: 4ce87783e00f8e966e094ceedba5edd061f4348a31fa191aa5389075b444ce0a
      • Opcode Fuzzy Hash: e45cfbffc5e5627637b8bf0dabd2b57bf8902eb122849aea0c2bf85cc89cddd9
      • Instruction Fuzzy Hash: 933280701046818FE725CF28C4A0B62BBF1FF97305F28498DD5D68B392D739A846CBA5
      Function 0044520B Relevance: 1.7, Strings: 1, Instructions: 440COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: f_
      • API String ID: 0-2333948650
      • Opcode ID: 0bbd7253b529ca8e384d53e906f794ea96a44a75c00b32daeea8446302220828
      • Instruction ID: b1bd41a3e3310814ae1cc92be5ebdb1c2ca39eddf5c728310cf68b7572bd398c
      • Opcode Fuzzy Hash: 0bbd7253b529ca8e384d53e906f794ea96a44a75c00b32daeea8446302220828
      • Instruction Fuzzy Hash: B8E18270104B428FE725CF29C090722FBF2BF5A315F68865EC4D68B792C739A855CB94
      Function 004452A9 Relevance: 1.7, Strings: 1, Instructions: 433COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: f_
      • API String ID: 0-2333948650
      • Opcode ID: 8e88e041b570ce00043e14a623cc79a8fc17d7536261e9cabc546215a5f249ad
      • Instruction ID: c063f2f0cda39f6a520e08746a3205d204813a6b2dd43a2f0b9b88576443100f
      • Opcode Fuzzy Hash: 8e88e041b570ce00043e14a623cc79a8fc17d7536261e9cabc546215a5f249ad
      • Instruction Fuzzy Hash: BCE1A370104B428FE725CF29C090722FBF2BF5A315F68866ED4D68B792C739A855CB94
      Function 0044466A Relevance: 1.7, Strings: 1, Instructions: 422COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: S@ZQ
      • API String ID: 0-3562939948
      • Opcode ID: f3a821bf727e4a4fb00e5ee3794fd5aea9411e9f36a8996d14bfff9bd8746d60
      • Instruction ID: 6c6d757da4accc20268230b1bc3ee290a3317446c07dc2c5d13ba95faa46d24c
      • Opcode Fuzzy Hash: f3a821bf727e4a4fb00e5ee3794fd5aea9411e9f36a8996d14bfff9bd8746d60
      • Instruction Fuzzy Hash: BDE170B01046828FE725CF29C0A0726FBF2FF96304F28869DC4D24B796D379A855CB95
      Function 00444A1C Relevance: 1.6, Strings: 1, Instructions: 361COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: S@ZQ
      • API String ID: 0-3562939948
      • Opcode ID: d57c0d3f0f2dbce05c7e312f320f684f568ec71db4813f76af863e78ac86b03f
      • Instruction ID: f78347ed86a8a914674cba0fdeba932118f89727461923d531047a9702320cc8
      • Opcode Fuzzy Hash: d57c0d3f0f2dbce05c7e312f320f684f568ec71db4813f76af863e78ac86b03f
      • Instruction Fuzzy Hash: DCD18FB01046818FE725CF29C0A0726FBE2FF96304F28869DC4D64F796C779A945CB99
      Function 004337F3 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000006,?,00000200,?), ref: 004338C4
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID:
      • API String ID: 237503144-0
      • Opcode ID: ca859b748ce09b19b0778666ad4885848968b6551b7100afb06deea1b559f555
      • Instruction ID: 5aadda01b79bf93aa45b7880e68c80dce1f1a01f3299c36398abc4f1f9a1625c
      • Opcode Fuzzy Hash: ca859b748ce09b19b0778666ad4885848968b6551b7100afb06deea1b559f555
      • Instruction Fuzzy Hash: A8316975600B118BD7288F20C851BB3B3F1EF4A326F04681ED5D78B691E779B946CB58
      Function 00439350 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: 1iDk
      • API String ID: 0-1621131942
      • Opcode ID: 40e3497affd5838ee2a64c9266babcdbb0824583537f37809c85260c3e6c1d03
      • Instruction ID: 5ef95d5371927fbe074a2956476eaaa1e99bd57f7c4b5ee270ca656b35799622
      • Opcode Fuzzy Hash: 40e3497affd5838ee2a64c9266babcdbb0824583537f37809c85260c3e6c1d03
      • Instruction Fuzzy Hash: B3C121B1100B019BD724CF26C491B97BBF1FB49314F049A1DD4EA8BA52D778F98ACB94
      Function 004267F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: ,
      • API String ID: 0-3772416878
      • Opcode ID: 6453aa0199f8805114bbc91ebdd927ccc4af3d64524ec0081da15823b0fba469
      • Instruction ID: 1eb77949c7d8ef7254cb68f0d1ae3dc8acd86ad4a07d10ef750bf63fb710c325
      • Opcode Fuzzy Hash: 6453aa0199f8805114bbc91ebdd927ccc4af3d64524ec0081da15823b0fba469
      • Instruction Fuzzy Hash: 43B13871609391AFD314CF68D88465BFBE0AFA9304F444A5EF49897382C375EA18CB97
      Function 0042A560 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: xE
      • API String ID: 0-90296957
      • Opcode ID: c34374d254cf0493c3186e6e07700e60200dd26c888e80054f04b1acf7b09b56
      • Instruction ID: 85f5ec1be487714e16c42f329c37020fc4a04226612bee7122bfbb32d1936490
      • Opcode Fuzzy Hash: c34374d254cf0493c3186e6e07700e60200dd26c888e80054f04b1acf7b09b56
      • Instruction Fuzzy Hash: 1751ECB19186007BD7105F21FD466AA7BA4FB5634AF44403AFD4892323F3B94A288B5F
      Function 00431CFA Relevance: 1.4, Strings: 1, Instructions: 154COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: &iD
      • API String ID: 0-101692967
      • Opcode ID: 3f58dbcb78cc462f185ddc1e08e4b7c750eff6d604e34f4bd9a1e30e3cb3a9a2
      • Instruction ID: a8926f57861f7bd8eb1bb3e57b679b6084b8436394f2316954634c412aee921d
      • Opcode Fuzzy Hash: 3f58dbcb78cc462f185ddc1e08e4b7c750eff6d604e34f4bd9a1e30e3cb3a9a2
      • Instruction Fuzzy Hash: 5A5139B0500B418FD736CF24C490B63B7E5BB4A315F149A2ED4AA87761E778F809CB99
      Function 00436266 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: mn2
      • API String ID: 0-3593888445
      • Opcode ID: 8f1fac9ee36ba4ef03ba00cc79aaca8f730ef8126b1ae651ac2e11676e55c1ea
      • Instruction ID: cd5cf14dd6d1c8dd1fbdba6302551f8209142b6bf03444bd0c256c5bbaa6eee2
      • Opcode Fuzzy Hash: 8f1fac9ee36ba4ef03ba00cc79aaca8f730ef8126b1ae651ac2e11676e55c1ea
      • Instruction Fuzzy Hash: FE31C57291422197C7249F18CC9267772B0FF6A364F0AA16EEC868B391E739AD04C759
      Function 0044095B Relevance: 1.4, Strings: 1, Instructions: 100COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: q
      • API String ID: 0-389260800
      • Opcode ID: 77a7fe4b5190cbc937e1e9ca3c293ccb527ec332ad51bda72787815c3a56763e
      • Instruction ID: 367ceecb92f030f0106a5b75cff7c47a37e56d75bc83dba664aa746eefc5de32
      • Opcode Fuzzy Hash: 77a7fe4b5190cbc937e1e9ca3c293ccb527ec332ad51bda72787815c3a56763e
      • Instruction Fuzzy Hash: BB3136B0601B108BEB28CF20C8D1A577BB1BF45300F14859DDA478FB8AC33AE516CB99
      Function 00437031 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID: |[H
      • API String ID: 0-2212627739
      • Opcode ID: d753c3774132fd4f91c9e044a32e0cf18c73ef86659e23c91fac657668c8f2aa
      • Instruction ID: e40dda7b756cae0caa834d5d42beddfee6f25fec5e75742d99f0f62744475388
      • Opcode Fuzzy Hash: d753c3774132fd4f91c9e044a32e0cf18c73ef86659e23c91fac657668c8f2aa
      • Instruction Fuzzy Hash: 43E06D74342502ABDA0CCF14E991A367361E78D30AF19A02DE402C7765D6A8EC459B0D
      Function 00427E10 Relevance: .9, Instructions: 851COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 83622410ff41487bf125e1c11d66996ff3ae748d359dbd726af2f124ffe188aa
      • Instruction ID: a6494d927b28299b5a046ca13695687d3657c9796d34adc17a3eead6092747ab
      • Opcode Fuzzy Hash: 83622410ff41487bf125e1c11d66996ff3ae748d359dbd726af2f124ffe188aa
      • Instruction Fuzzy Hash: B252C5316093258BC724DF18E88067FB3E1FFD4314F69892ED98297391EB38A955C74A
      Function 00423390 Relevance: .7, Instructions: 707COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 05a4b10b1eb49870d166a2cd6926a11c57d62162af61098c1d90060cb9fa6734
      • Instruction ID: ed0ea2a05adce8ff695c65a6e205e4ec0bf3924f43d66f1abde6f0624803c170
      • Opcode Fuzzy Hash: 05a4b10b1eb49870d166a2cd6926a11c57d62162af61098c1d90060cb9fa6734
      • Instruction Fuzzy Hash: 4962B3716083618FC710CF19D08066AB7F1BF89315F548AAEE8D89B342D379ED46CB85
      Function 00423E20 Relevance: .6, Instructions: 629COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c3a8ee9cd2599963f2035e86cc1fe276a60fcafeeae37f835f9e414051eb57e4
      • Instruction ID: 753bfcc85ab255323601634bf6a08705bd07f09b0a63d66ee1e6b5a8f474655f
      • Opcode Fuzzy Hash: c3a8ee9cd2599963f2035e86cc1fe276a60fcafeeae37f835f9e414051eb57e4
      • Instruction Fuzzy Hash: 35424970614B218FC328CF29D59056ABBF1FF95310BA08A2ED5978BB90D739F945CB18
      Function 00426200 Relevance: .5, Instructions: 469COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: db1e9d82b5440d786aa77cfded76b73419a686728a05ea10ae7582bc4fca24d7
      • Instruction ID: 35d91eaaa651261794ae73c2e56a9efb0cb4f72eb4a665e5af7de1fa4dc08262
      • Opcode Fuzzy Hash: db1e9d82b5440d786aa77cfded76b73419a686728a05ea10ae7582bc4fca24d7
      • Instruction Fuzzy Hash: 9B02D1312083508FC714CF28D88062BBBE1FF99304F99496EE9998B352D779DC45CB96
      Function 00438AF0 Relevance: .4, Instructions: 425COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7fbad3e94e5a9f7f5de47208d573d2cdf32fd8807ea27ac502defd54347f0225
      • Instruction ID: f6930b5b8bda9281b4052a65db8729055de43eb7c620e269eedf01b81159a1f3
      • Opcode Fuzzy Hash: 7fbad3e94e5a9f7f5de47208d573d2cdf32fd8807ea27ac502defd54347f0225
      • Instruction Fuzzy Hash: 76C1BAB04083118BD724CF14C8A276BF7F1FFA6354F14AA1DE8954B390E7799905CB9A
      Function 00428B60 Relevance: .4, Instructions: 398COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1bb94ae7308bec0ac3c4e6a4b25775eae82dbbf6deee59c38c1bb1d08cfaf2f3
      • Instruction ID: cefe08a89398747b9c7e8fb72d75effed9d4c3a09e06ad1ca359749b45e5b42f
      • Opcode Fuzzy Hash: 1bb94ae7308bec0ac3c4e6a4b25775eae82dbbf6deee59c38c1bb1d08cfaf2f3
      • Instruction Fuzzy Hash: BFD15D72B097114BC314CE29E8D035FFBE3AFD5320FA9C65ED494473A5EA3898468B85
      Function 004325E9 Relevance: .2, Instructions: 215COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 773b1b72317fb576e81184463f38ebdfac70b3a135f9181e62156cf6d0d82304
      • Instruction ID: f99fb0e2a012986d600dd7152b7576c0e0f3fb77341674f60a708bfe49e16db9
      • Opcode Fuzzy Hash: 773b1b72317fb576e81184463f38ebdfac70b3a135f9181e62156cf6d0d82304
      • Instruction Fuzzy Hash: 98513975604B408FC325CF29C681A63B7E6BF89320F14A92ED496C7B51EB78F8468B44
      Function 004347AF Relevance: .2, Instructions: 199COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6bfe7cf5e7002dd9da651b4edf54d9d68b55a2398e1f423f5152700c78d965eb
      • Instruction ID: e48ab96bb911efedf7cd437d90396a1b755436cd83dbb04a5d48eb2441d96c80
      • Opcode Fuzzy Hash: 6bfe7cf5e7002dd9da651b4edf54d9d68b55a2398e1f423f5152700c78d965eb
      • Instruction Fuzzy Hash: A651BDB0600B418FD725DF21D880767B3E5AF89314F14AA2ED89B87781E778F845CB58
      Function 0044D9A0 Relevance: .2, Instructions: 187COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b14a77e03b9ec93c491432ccf29bf4971831dd60c9a72ab418a1cdfe84afe96e
      • Instruction ID: d57047f60af740986bb75068c807d84ddc345f6915119415aeb225b4bd49b92a
      • Opcode Fuzzy Hash: b14a77e03b9ec93c491432ccf29bf4971831dd60c9a72ab418a1cdfe84afe96e
      • Instruction Fuzzy Hash: F1519AB19087558FE714DF29D89035BBBE0AB84308F008A2EE4E583390D779DA09CF82
      Function 00431600 Relevance: .1, Instructions: 134COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4e5dbf34ccabc87877ed566d811ae95a5c0c70fa75d2d938c2ea79949ac8d9f8
      • Instruction ID: 7c512edf92418a242e1c666bc53f5e532dc0db35609795430a2c8c80e1c53c9d
      • Opcode Fuzzy Hash: 4e5dbf34ccabc87877ed566d811ae95a5c0c70fa75d2d938c2ea79949ac8d9f8
      • Instruction Fuzzy Hash: 4D411372A182A04BD3488E39989033ABAD2ABCA310F18867EF4E5C73E1D678C945D755
      Function 00422FB0 Relevance: .1, Instructions: 100COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e030d44d5e0db069deb99b161d678d712502ed9c3674ca8ab82fb113716d6e7a
      • Instruction ID: 92eec5c0a20c67a9fd882b7f52c6c572fc8bdb10281f28859643cba3937af71f
      • Opcode Fuzzy Hash: e030d44d5e0db069deb99b161d678d712502ed9c3674ca8ab82fb113716d6e7a
      • Instruction Fuzzy Hash: 6021FB7165827007C74CCE35A8E05BA77A3D7C732375F827ED6824739AC93D9909C624
      Function 004288C0 Relevance: .1, Instructions: 83COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fe7b8f47dfd71d7cccb983fbf7aaa8102b2f4aceb73621c04df20fc30f488878
      • Instruction ID: f54a93ffa1e300ff69d0d1070c026670631ebbfc935f5c8f93933265d402e510
      • Opcode Fuzzy Hash: fe7b8f47dfd71d7cccb983fbf7aaa8102b2f4aceb73621c04df20fc30f488878
      • Instruction Fuzzy Hash: 1721D47690A7F145833B853C50A043BFED058A721939E86EFD8E617343C80A9886D7EA
      Function 004289A0 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 27196f8ff10a336b0c0aaca2e1a977e1861f62a8436cdef7aa3826bbf0062200
      • Instruction ID: 973e0f1d360b1ffa070fbc69f8feb427661359056a514b3b64c72c2a12b74979
      • Opcode Fuzzy Hash: 27196f8ff10a336b0c0aaca2e1a977e1861f62a8436cdef7aa3826bbf0062200
      • Instruction Fuzzy Hash: 7311253770B2A44E473C991C9851C7BFE4489B630439E81FFD94997313CC5AC84AC2AE
      Function 0043504F Relevance: .1, Instructions: 53COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0ce64e146ce323b863cc835d22a576d2b22e346cb8b9986a51f8dd83daa3f525
      • Instruction ID: 84411e526330b27c60c88a36a0a00ee99df7eb8001b0caa32a5f010a29126d04
      • Opcode Fuzzy Hash: 0ce64e146ce323b863cc835d22a576d2b22e346cb8b9986a51f8dd83daa3f525
      • Instruction Fuzzy Hash: 221160317467814FD36A8B24C865BE7BBF1AB07314F48146ED4DBC7642CA286819CB56
      Function 00447386 Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3d1560ad5d46a50b8e21ce8d6921911bf257ff00cbaba276607bb11524586296
      • Instruction ID: 8df28c35cb000463785645de879ea78046c24c993f036fc189b1be1ac35fb706
      • Opcode Fuzzy Hash: 3d1560ad5d46a50b8e21ce8d6921911bf257ff00cbaba276607bb11524586296
      • Instruction Fuzzy Hash: B7F049711097418FC312CF34C955A87BBF5BF89340F168A6ED4998B252D774F609CB82
      Function 0045276D Relevance: .0, Instructions: 22COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0f94c608eb0a019a40d233812beed6c0bd40afb878054e11ab5c69a1dc6bb6b3
      • Instruction ID: b2695540d81ffc0e7548d17f813ed0629943f10a52cb66d802f154ffc21c9662
      • Opcode Fuzzy Hash: 0f94c608eb0a019a40d233812beed6c0bd40afb878054e11ab5c69a1dc6bb6b3
      • Instruction Fuzzy Hash: 22D0C780A100A047CB048B33AC0AE333E2A8EE338BB0C6019E0809321AE028C120927A
      Function 00452C90 Relevance: .0, Instructions: 16COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: acfcd3b784aba27e7fe1588364a0b8477c19fdaad81411066af6e7976215faa7
      • Instruction ID: 03e297df82e955d8dafb5c60afc00264458b174c24cfd45815fc15c0b4007d03
      • Opcode Fuzzy Hash: acfcd3b784aba27e7fe1588364a0b8477c19fdaad81411066af6e7976215faa7
      • Instruction Fuzzy Hash: C1C08020518184574E149F56EC47C73773CD647244B043025D557D3651D550D85095FF
      Function 004532E1 Relevance: .0, Instructions: 12COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e0253bedfa8bdaf857f492515dd1f7f9de1712e344290a81cd3dabe8f440fc7
      • Instruction ID: 0a6536a251b8fecbd96cab0ae05bb5148d12e5c878b1897b0b9b91b93da6c8e5
      • Opcode Fuzzy Hash: 1e0253bedfa8bdaf857f492515dd1f7f9de1712e344290a81cd3dabe8f440fc7
      • Instruction Fuzzy Hash: 35C002399091409B8688CF01D890475F3B7EBDA214F19745ADC432376AD6B0E8129A4D
      Function 0042BEDC Relevance: .0, Instructions: 12COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e253ce97579786ca9da26d3008318dedc1b4bc96be356c1abb8e1a9ff85a93b8
      • Instruction ID: 53f8d3b69b2b6558432494064ea8f347371e99c5c1fcdcc06eeffaebdfda112c
      • Opcode Fuzzy Hash: e253ce97579786ca9da26d3008318dedc1b4bc96be356c1abb8e1a9ff85a93b8
      • Instruction Fuzzy Hash: CCD0A730540281CFC759DF38C2ABF9077F1AB09201F8944ADD88BCF686CB30A600CB00
      Function 0043CA30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 152COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0043CB64
      • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0043CB93
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: eI.K$]_$qs
      • API String ID: 237503144-625656762
      • Opcode ID: d997081d980d664a51d5e7952b5a539730f544b432ac31143f6a29feea0208fd
      • Instruction ID: 7092521e1f78d8e1da2af06aae6c0fede4f6126d8588df7139dd458f8c3b538b
      • Opcode Fuzzy Hash: d997081d980d664a51d5e7952b5a539730f544b432ac31143f6a29feea0208fd
      • Instruction Fuzzy Hash: BD5141B1108342ABD304CF05D891B1BBBE4EF8A794F145E2DF8A49B391D378D9458B9A
      Function 004364F5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 309COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00436728
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00436764
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: qrs
      • API String ID: 237503144-2859022563
      • Opcode ID: d0487dca81b9d199c315855208979d2778a4b78a4025ee28aceddd71505dcde9
      • Instruction ID: a0f7e6e3df24368c21feedfcbc15671e68f6f3561bbcd7283f634bf579091e54
      • Opcode Fuzzy Hash: d0487dca81b9d199c315855208979d2778a4b78a4025ee28aceddd71505dcde9
      • Instruction Fuzzy Hash: 18C1BDB1901B01AFD324CF2AC882763BBF5FF49314F15461DE89A8B7A1E335A401CB96
      Function 00438FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0043900A
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00439038
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2636267777.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
      • Associated: 00000000.00000002.2636213146.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636309264.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636325668.0000000000459000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636343019.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2636357843.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_420000_LisectAVT_2403002C_59.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: <u0
      • API String ID: 237503144-3891312201
      • Opcode ID: 922993b6e9f730a37149f04c4e7dc88fc7dc585e77e703020b745bf5b85b0c19
      • Instruction ID: 668c1bab35ac4be19a7884168d72785e90eb64e4afb2a40b20907fcb06c7d776
      • Opcode Fuzzy Hash: 922993b6e9f730a37149f04c4e7dc88fc7dc585e77e703020b745bf5b85b0c19
      • Instruction Fuzzy Hash: 8301C4716407047BE214AB248C86F77727CDB45B65F044219FA61C72C2E7B0BD0886EA