Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
payload.exe

Overview

General Information

Sample name:payload.exe
Analysis ID:1436577
MD5:ce50f943a26c5cb2baf73d051ce6e8fc
SHA1:8ddbd6b36ecb62ebe2925d212af13cbc786a6d35
SHA256:a83a24e2219d14f4448a837d638b007c9404d893dd035bdf67fbde220e3c4ced
Tags:exe
Infos:

Detection

LummaC
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • payload.exe (PID: 2424 cmdline: "C:\Users\user\Desktop\payload.exe" MD5: CE50F943A26C5CB2BAF73D051CE6E8FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "pearcyworkeronej.shop"], "Build id": "uYY3NI--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.binstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: payload.exeAvira: detected
    Found malware configuration
    Source: payload.exeMalware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "pearcyworkeronej.shop"], "Build id": "uYY3NI--"}
    Multi AV Scanner detection for domain / URL
    Source: sweetsquarediaslw.shopVirustotal: Detection: 10%Perma Link
    Multi AV Scanner detection for submitted file
    Source: payload.exeVirustotal: Detection: 47%Perma Link
    Machine Learning detection for sample
    Source: payload.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: payload.exeString decryptor: boredimperissvieos.shop
    Source: payload.exeString decryptor: holicisticscrarws.shop
    Source: payload.exeString decryptor: sweetsquarediaslw.shop
    Source: payload.exeString decryptor: plaintediousidowsko.shop
    Source: payload.exeString decryptor: miniaturefinerninewjs.shop
    Source: payload.exeString decryptor: zippyfinickysofwps.shop
    Source: payload.exeString decryptor: obsceneclassyjuwks.shop
    Source: payload.exeString decryptor: acceptabledcooeprs.shop
    Source: payload.exeString decryptor: pearcyworkeronej.shop
    Source: payload.exeString decryptor: lid=%s&j=%s&ver=4.0
    Source: payload.exeString decryptor: TeslaBrowser/5.5
    Source: payload.exeString decryptor: - Screen Resoluton:
    Source: payload.exeString decryptor: - Physical Installed Memory:
    Source: payload.exeString decryptor: Workgroup: -
    Source: payload.exeString decryptor: uYY3NI--
    Source: payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], CCC8066Ah0_2_0040C461
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 5C3924FCh0_2_0040C615
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_0040E8D0
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov eax, dword ptr [esi+00000090h]0_2_003E3038
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov byte ptr [edi], al0_2_003F7059
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp ecx0_2_0040E09F
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_004050A0
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then lea eax, dword ptr [edi+04h]0_2_003F213D
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ecx, dword ptr [esi+04h]0_2_003F213D
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then movzx ecx, word ptr [esi]0_2_0040D265
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp eax0_2_003ED35E
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp edx0_2_003ED35E
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov dword ptr [esi+20h], 00000000h0_2_003E1419
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ecx, dword ptr [esi+20h]0_2_003F8410
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ecx, dword ptr [esi+10h]0_2_003F4478
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ecx, dword ptr [esi+10h]0_2_003F4478
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then inc ebx0_2_003E5470
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp ecx0_2_0040C436
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp ecx0_2_0040D4E8
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp ecx0_2_0040D48A
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], CCC8066Ah0_2_0040C571
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ecx, dword ptr [esi+0Ch]0_2_0040C571
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov eax, dword ptr [esp+20h]0_2_003E6555
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_003DD650
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_003D2650
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov edi, dword ptr [esi+04h]0_2_003F26BD
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov edi, dword ptr [esi+04h]0_2_003F2760
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_003D97F0
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_003F58B0
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov dword ptr [esi+7Ch], ecx0_2_003F6953
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_0040A930
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov byte ptr [edi], al0_2_003F6948
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov eax, dword ptr [00417EE8h]0_2_003F4982
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ecx, dword ptr [esi+20h]0_2_003F79F5
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then movzx edi, cx0_2_003F8A13
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then cmp dword ptr [ebx+ecx*8], FB49C974h0_2_00409A20
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov word ptr [eax], cx0_2_003E7ABA
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_0040EAF0
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp ecx0_2_003EDB00
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 9EDBE8FEh0_2_003EDB00
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000090h]0_2_003E4D32
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov edx, eax0_2_003EDDC7
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then cmp byte ptr [ecx], 00000000h0_2_003E1E13
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov esi, dword ptr [esp+0Ch]0_2_003DFE47
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp edx0_2_0040DE9C
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then jmp edx0_2_0040DEB1
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then mov edx, eax0_2_003EDF3A
    Source: C:\Users\user\Desktop\payload.exeCode function: 4x nop then movzx esi, ch0_2_0040DFE0

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: boredimperissvieos.shop
    Source: Malware configuration extractorURLs: holicisticscrarws.shop
    Source: Malware configuration extractorURLs: sweetsquarediaslw.shop
    Source: Malware configuration extractorURLs: plaintediousidowsko.shop
    Source: Malware configuration extractorURLs: miniaturefinerninewjs.shop
    Source: Malware configuration extractorURLs: zippyfinickysofwps.shop
    Source: Malware configuration extractorURLs: obsceneclassyjuwks.shop
    Source: Malware configuration extractorURLs: acceptabledcooeprs.shop
    Source: Malware configuration extractorURLs: pearcyworkeronej.shop
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_00400520 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00400520
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_00400520 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_00400520
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_00401CAA GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,0_2_00401CAA
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D80A00_2_003D80A0
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_004070900_2_00407090
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003F213D0_2_003F213D
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003F112E0_2_003F112E
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D41600_2_003D4160
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_0040F1900_2_0040F190
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D33600_2_003D3360
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003ED35E0_2_003ED35E
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003E03900_2_003E0390
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D64800_2_003D6480
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_0040F5000_2_0040F500
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D57200_2_003D5720
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D17B00_2_003D17B0
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003FC85E0_2_003FC85E
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003F28400_2_003F2840
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003F18A00_2_003F18A0
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003F8AC00_2_003F8AC0
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D4B300_2_003D4B30
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003F5B500_2_003F5B50
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_003D2D100_2_003D2D10
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_0040EE700_2_0040EE70
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_00409E100_2_00409E10
    Source: C:\Users\user\Desktop\payload.exeCode function: String function: 003D8AF0 appears 52 times
    Source: C:\Users\user\Desktop\payload.exeCode function: String function: 003E0520 appears 194 times
    Source: payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal96.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_00400169 CoCreateInstance,0_2_00400169
    Source: payload.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: payload.exeVirustotal: Detection: 47%
    Source: C:\Users\user\Desktop\payload.exeFile read: C:\Users\user\Desktop\payload.exeJump to behavior
    Source: C:\Users\user\Desktop\payload.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\payload.exeSection loaded: winhttp.dllJump to behavior
    Source: payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_004037E3 push esp; iretd 0_2_004037E7
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\payload.exeCode function: 0_2_0040B550 LdrInitializeThunk,0_2_0040B550
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: boredimperissvieos.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: holicisticscrarws.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: sweetsquarediaslw.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: plaintediousidowsko.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: miniaturefinerninewjs.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: zippyfinickysofwps.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: obsceneclassyjuwks.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: acceptabledcooeprs.shop
    Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: pearcyworkeronej.shop

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    PowerShell    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Deobfuscate/Decode Files or Information    		OS Credential Dumping2
    System Information Discovery    		Remote Services1
    Screen Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    DLL Side-Loading    		LSASS MemoryApplication Window DiscoveryRemote Desktop Protocol1
    Archive Collected Data    		1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
    Obfuscated Files or Information    		Security Account ManagerQuery RegistrySMB/Windows Admin Shares2
    Clipboard Data    		SteganographyAutomated ExfiltrationData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    payload.exe47%VirustotalBrowse
    payload.exe100%AviraTR/Crypt.XPACK.Gen
    payload.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    plaintediousidowsko.shop0%Avira URL Cloudsafe
    zippyfinickysofwps.shop0%Avira URL Cloudsafe
    acceptabledcooeprs.shop0%Avira URL Cloudsafe
    sweetsquarediaslw.shop0%Avira URL Cloudsafe
    pearcyworkeronej.shop0%Avira URL Cloudsafe
    boredimperissvieos.shop0%Avira URL Cloudsafe
    holicisticscrarws.shop0%Avira URL Cloudsafe
    miniaturefinerninewjs.shop0%Avira URL Cloudsafe
    zippyfinickysofwps.shop1%VirustotalBrowse
    sweetsquarediaslw.shop11%VirustotalBrowse
    obsceneclassyjuwks.shop0%Avira URL Cloudsafe
    acceptabledcooeprs.shop1%VirustotalBrowse
    plaintediousidowsko.shop1%VirustotalBrowse
    holicisticscrarws.shop1%VirustotalBrowse
    miniaturefinerninewjs.shop1%VirustotalBrowse
    pearcyworkeronej.shop1%VirustotalBrowse
    obsceneclassyjuwks.shop1%VirustotalBrowse
    boredimperissvieos.shop1%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    sweetsquarediaslw.shoptrue
    • 11%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    plaintediousidowsko.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    acceptabledcooeprs.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    zippyfinickysofwps.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    pearcyworkeronej.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    boredimperissvieos.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    holicisticscrarws.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    miniaturefinerninewjs.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    obsceneclassyjuwks.shoptrue
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1436577
    Start date and time:2024-05-06 03:48:04 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 3m 56s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:5
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:payload.exe
    Detection:MAL
    Classification:mal96.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 10
    • Number of non-executed functions: 68
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.788830322420954
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:payload.exe
    File size:330'752 bytes
    MD5:ce50f943a26c5cb2baf73d051ce6e8fc
    SHA1:8ddbd6b36ecb62ebe2925d212af13cbc786a6d35
    SHA256:a83a24e2219d14f4448a837d638b007c9404d893dd035bdf67fbde220e3c4ced
    SHA512:5a123d36cf927ce52dcc0f7c4e5aa2d310bcadf426d41dd220e70a4ee9b310cd1f8e98001c9f8c2171ea9ce1dd18e8f10bd762a2e6596bad8c2a5c183f857d25
    SSDEEP:6144:yRA+/51VgJzIvSp0HML2Sc9vAetvbrge:yRXRkk6BLmvAAg
    TLSH:87646D65EB2364E1CC091A7574FB733E992C2A06933C4EC7C790EA9529937A3D437C29
    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....1f..........................................@.......................................@.................................`)..x..

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x4091d0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x66311A18 [Tue Apr 30 16:19:36 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:22b4d38704f75fff43f3bb8928070c58

    Entrypoint Preview

    Instruction
    push ebp
    mov ebp, esp
    push esi
    push eax
    push eax
    sub esp, 000000FCh
    mov esi, esp
    jmp 00007FB4CD3FEDC2h
    call 00007FB4CD430510h
    test al, 01h
    jne 00007FB4CD3FEDC4h
    jmp 00007FB4CD3FEE07h
    call 00007FB4CD42AD05h
    test al, 01h
    jne 00007FB4CD3FEDC4h
    jmp 00007FB4CD3FEDF5h
    call dword ptr [00442A70h]
    mov dword ptr [ebp-08h], eax
    lea eax, dword ptr [00442611h]
    sub esp, 08h
    mov dword ptr [esp], esi
    mov dword ptr [esp+04h], eax
    call 00007FB4CD3FEE01h
    add esp, 08h
    call 00007FB4CD400229h
    test al, 01h
    jne 00007FB4CD3FEDC4h
    jmp 00007FB4CD3FEDC7h
    call 00007FB4CD4060CEh
    jmp 00007FB4CD3FEDC2h
    call 00007FB4CD430EF7h
    jmp 00007FB4CD3FEDC2h
    xor eax, eax
    sub esp, 04h
    mov dword ptr [esp], 00000000h
    call dword ptr [00442A6Ch]
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    mov ecx, dword ptr [esp+08h]
    mov eax, dword ptr [esp+04h]
    movzx edx, byte ptr [ecx]
    test dl, dl
    je 00007FB4CD3FEDCEh
    inc ecx
    mov byte ptr [eax], dl
    inc eax
    movzx edx, byte ptr [ecx]
    inc ecx
    test dl, dl
    jne 00007FB4CD3FEDB7h
    mov byte ptr [eax], 00000000h
    ret
    int3
    push ebx
    push edi
    push esi
    mov esi, ecx
    movzx edx, byte ptr [esp+10h]
    lea edi, dword ptr [ecx+04h]
    lea ebx, dword ptr [ecx+10h]
    xor eax, eax
    mov ecx, 00000018h
    rep stosd
    mov byte ptr [esi], dl
    mov dword ptr [esi+08h], 00000009h
    push 00000400h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x429600x78.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x570000x516c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x42a6c0x94.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x3eb9b0x3ec00277810daafcfdff4acc70defa8e0c6abFalse0.5140103647908366data6.4809294077676665IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x400000x2cff0x2e00a356d1f423e018e074f7e385e99b4a83False0.45601222826086957data6.85535825716077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x430000x1301c0x9c00724fca454cc87b76a3cd2924df0c5f16False0.6958633814102564data7.107452094249996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x570000x516c0x52006d02f9965810bacfbd5a2168c330de11False0.5370141006097561data6.532827928916524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    KERNEL32.dllExitProcess, GetConsoleWindow, GetLastError, GlobalLock, GlobalUnlock
    ole32.dllCoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize
    OLEAUT32.dllSysAllocString, SysFreeString, SysStringLen, VariantClear, VariantInit
    USER32.dllCloseClipboard, GetClipboardData, GetDC, GetSystemMetrics, GetWindowInfo, OpenClipboard, ReleaseDC
    GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetCurrentObject, GetDIBits, GetObjectW, SelectObject, SelectPalette

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:03:48:48
    Start date:06/05/2024
    Path:C:\Users\user\Desktop\payload.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\payload.exe"
    Imagebase:0x3d0000
    File size:330'752 bytes
    MD5 hash:CE50F943A26C5CB2BAF73D051CE6E8FC
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:1.2%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:22.4%
      Total number of Nodes:49
      Total number of Limit Nodes:5
      execution_graph 10199 4064c1 10204 4092d0 10199->10204 10201 4064cf 10207 40e8d0 10201->10207 10205 409315 10204->10205 10206 40935a RtlAllocateHeap 10204->10206 10205->10206 10206->10201 10210 40e92d 10207->10210 10208 40e99e 10209 4064f9 10208->10209 10214 40b550 LdrInitializeThunk 10208->10214 10210->10208 10213 40b550 LdrInitializeThunk 10210->10213 10213->10208 10214->10209 10248 406953 10249 4069e7 10248->10249 10250 406aaf 10249->10250 10252 40b550 LdrInitializeThunk 10249->10252 10252->10250 10258 406b16 10261 40e3d0 10258->10261 10260 406b46 10262 40e3f0 10261->10262 10263 4092d0 RtlAllocateHeap 10262->10263 10265 40e410 10263->10265 10264 40e55e 10264->10260 10265->10264 10267 40b550 LdrInitializeThunk 10265->10267 10267->10264 10215 40bf27 10216 40be41 10215->10216 10217 40beee 10216->10217 10219 40b550 LdrInitializeThunk 10216->10219 10219->10217 10220 40aa87 10221 40aa8a LoadLibraryW 10220->10221 10268 40ba37 10269 40ba74 10268->10269 10271 40baee 10269->10271 10274 40b550 LdrInitializeThunk 10269->10274 10273 40b550 LdrInitializeThunk 10271->10273 10273->10271 10274->10271 10223 3d91d0 10224 3d91e0 10223->10224 10225 3d91e9 10224->10225 10227 3d91f6 GetConsoleWindow 10224->10227 10229 3d91f4 10224->10229 10226 3d9230 ExitProcess 10225->10226 10228 3d9214 10227->10228 10228->10229 10229->10226 10230 40ac2d 10231 40ac95 10230->10231 10232 40acda LoadLibraryW 10230->10232 10231->10232 10233 40b22d 10235 40ad26 10233->10235 10234 40b328 10235->10233 10235->10234 10236 40ae1d LoadLibraryW 10235->10236 10236->10235 10237 40ad10 10236->10237

      Executed Functions

      Function 0040B550 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 52 40b550-40b578 LdrInitializeThunk
      APIs
      • LdrInitializeThunk.NTDLL(0040E58C,005C003F,00000006,00120089,?,00000018,7452,00000000,003E56BE), ref: 0040B576
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: InitializeThunk
      • String ID: 7452
      • API String ID: 2994545307-87867774
      • Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
      • Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
      • Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
      • Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E8D0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 137 40e8d0-40e92b 138 40e96d-40e979 137->138 139 40e92d-40e92f 137->139 141 40e97b-40e989 138->141 142 40e9cd-40e9d5 138->142 140 40e930-40e96b 139->140 140->138 140->140 145 40e990-40e997 141->145 143 40eac8-40eaca 142->143 144 40e9db-40ea2a 142->144 150 40eadb-40eae2 143->150 151 40eacc-40ead3 143->151 146 40ea2c-40ea2f 144->146 147 40ea6d-40ea79 144->147 148 40e9a0-40e9a6 145->148 149 40e999-40e99c 145->149 154 40ea30-40ea6b 146->154 155 40eac0-40eac2 147->155 156 40ea7b-40ea83 147->156 148->142 158 40e9a8-40e9c5 call 40b550 148->158 149->145 157 40e99e 149->157 152 40ead5 151->152 153 40ead9 151->153 152->153 153->150 154->147 154->154 155->143 160 40eac4 155->160 159 40ea90-40ea97 156->159 157->142 164 40e9ca 158->164 162 40eaa0-40eaa6 159->162 163 40ea99-40ea9c 159->163 160->143 162->155 166 40eaa8-40eabd call 40b550 162->166 163->159 165 40ea9e 163->165 164->142 165->155 166->155
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 7452
      • API String ID: 0-87867774
      • Opcode ID: 0a00f4b004f93b5ae1c29fc73bf9b3cd2e7f192c84c30409873dab5f53be3cad
      • Instruction ID: 4771d2ced3591a19d5c765dc9d6c56a00990cd8a0691646b860eecec9230c046
      • Opcode Fuzzy Hash: 0a00f4b004f93b5ae1c29fc73bf9b3cd2e7f192c84c30409873dab5f53be3cad
      • Instruction Fuzzy Hash: 4551ADB12043019BE714CF16C990B6BBBE2FBC8744F188D2DE4956B290C378E955CF8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C461 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 169 40c461-40c467 170 40c470-40c476 169->170 171 40c469-40c46c 169->171 174 40c478-40c489 call 40b550 170->174 175 40c48c-40c4d5 170->175 172 40c460 171->172 173 40c46e 171->173 172->169 173->175 174->175 177 40c517-40c51f 175->177 178 40c4d7 175->178 181 40c521-40c52f 177->181 182 40c55c-40c56e 177->182 180 40c4e0-40c515 178->180 180->177 180->180 183 40c530-40c537 181->183 184 40c540-40c546 183->184 185 40c539-40c53c 183->185 184->182 187 40c548-40c554 call 40b550 184->187 185->183 186 40c53e 185->186 186->182 189 40c559 187->189 189->182
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: InitializeThunk
      • String ID: onqp
      • API String ID: 2994545307-1718216680
      • Opcode ID: 79d455b7733c03b583821975106d1e8c8e88c917b9a7a681dd35e6c641d9d181
      • Instruction ID: 05ec22cf4307bbb809298a07ba4ffbb04dacb2b5d3f961756912c860be9e0cdb
      • Opcode Fuzzy Hash: 79d455b7733c03b583821975106d1e8c8e88c917b9a7a681dd35e6c641d9d181
      • Instruction Fuzzy Hash: 4A315C74600700DBD7289F15C8A0B37B7A2FB85318F64862EC4A717BD6D378E8018B98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C615 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 224 40c615-40c65e 225 40c660-40c695 224->225 226 40c697-40c69f 224->226 225->225 225->226 227 40c6a1-40c6af 226->227 228 40c6da-40c6f7 226->228 229 40c6b0-40c6b7 227->229 230 40c6c0-40c6c6 229->230 231 40c6b9-40c6bc 229->231 230->228 233 40c6c8-40c6d2 call 40b550 230->233 231->229 232 40c6be 231->232 232->228 235 40c6d7 233->235 235->228
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: onqp
      • API String ID: 0-1718216680
      • Opcode ID: c7e2b211c5810915d79a31272e987528957e70a65a6a7f9ee7f0492bd96613cf
      • Instruction ID: 701e96a5708290cbbca6cd12006ee7ac8bc6c44eab37cfc1c6a6012249bd4efd
      • Opcode Fuzzy Hash: c7e2b211c5810915d79a31272e987528957e70a65a6a7f9ee7f0492bd96613cf
      • Instruction Fuzzy Hash: E7211674600B008FD738CF15C4A0B37BBE2EB49705F149A2EC49747A92C379E9058B88
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D91D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      • of system that leetspeak, reflection primarily the of other modified on glyphs resemblance is replacements similarity or eleet the ways used character a often spellings on play uses their via internet. or it in, xrefs: 003D91FF
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: ExitProcess
      • String ID: of system that leetspeak, reflection primarily the of other modified on glyphs resemblance is replacements similarity or eleet the ways used character a often spellings on play uses their via internet. or it in
      • API String ID: 621844428-2804141084
      • Opcode ID: f4a5dd3f09cb4b9568b73ad4f5a7adbf10bb4208895515be4b2ed0e55f9c7e03
      • Instruction ID: 613cd18b38cae8b4d0befc2c383478cf8965f80212e4ff636547eb9b52bff1b6
      • Opcode Fuzzy Hash: f4a5dd3f09cb4b9568b73ad4f5a7adbf10bb4208895515be4b2ed0e55f9c7e03
      • Instruction Fuzzy Hash: DFF0B473C1820CE6C7123BB57B0A36A3AACAF11344F114C3BEC4299741EA75461496A7
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040AD26 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 22 40ad26-40add9 call 40d8f0 * 3 29 40addb 22->29 30 40ae1d-40ae22 LoadLibraryW 22->30 31 40ade0-40ae1b 29->31 32 40ad10-40ad23 30->32 33 40ae28-40b2db call 40d8f0 * 3 30->33 31->30 31->31 41 40b31d-40b322 33->41 42 40b2dd-40b2df 33->42 41->22 45 40b328 41->45 43 40b2e0-40b31b 42->43 43->41 43->43
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: &F
      • API String ID: 1029625771-107606442
      • Opcode ID: 524e7c54fa36595da7b9575e03e0cde68c6d7ca7c5b14e9c8b1d1fa59a3b0c0d
      • Instruction ID: d06a7b6b9127d46ddd9f84b73d3518c6722b540d95ff77d6deccdb1df5fc914d
      • Opcode Fuzzy Hash: 524e7c54fa36595da7b9575e03e0cde68c6d7ca7c5b14e9c8b1d1fa59a3b0c0d
      • Instruction Fuzzy Hash: 8D217CB0919301AFC708DF11D89462EBBE2FFC4349F14C92EE49617265E7348A16CF8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040AA87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 46 40aa87-40aa8c 48 40aab6-40aabb LoadLibraryW 46->48 49 40aa8e-40aa93 46->49 50 40aaa0-40aab3 48->50 51 40aabd-40aac2 48->51 49->48 50->48 51->50
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: $F
      • API String ID: 1029625771-2091492042
      • Opcode ID: 8686c956be5cccce36cbfc377667caf6d81de2795c3c5b60f8069ddf4d86232d
      • Instruction ID: d75a096fa78437d3aff63e738b0b1f574ec786afb5795b02b1ed5755fe84b458
      • Opcode Fuzzy Hash: 8686c956be5cccce36cbfc377667caf6d81de2795c3c5b60f8069ddf4d86232d
      • Instruction Fuzzy Hash: 07D017B13A62028FD3049B20AE518A73295AA81280315C53AC002963D6EB389462CEAF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040B22D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 78 40b22d-40b232 79 40b233-40b2db call 40d8f0 * 3 78->79 85 40b31d-40b322 79->85 86 40b2dd-40b2df 79->86 89 40ad26-40add9 call 40d8f0 * 3 85->89 90 40b328 85->90 87 40b2e0-40b31b 86->87 87->85 87->87 97 40addb 89->97 98 40ae1d-40ae22 LoadLibraryW 89->98 99 40ade0-40ae1b 97->99 100 40ad10-40ad23 98->100 101 40ae28 98->101 99->98 99->99 101->78
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 90932dc31d35e0484a24b7c7c0a5c0856488d5a3efd4d70faa3664b2575a3a3c
      • Instruction ID: 6177d04e22487ab26554d75d15c24cd7af86f75aa0bdce2d3840c20041ba9cdb
      • Opcode Fuzzy Hash: 90932dc31d35e0484a24b7c7c0a5c0856488d5a3efd4d70faa3664b2575a3a3c
      • Instruction Fuzzy Hash: D8415AB0919301AFD708DF11D8A472EBBA2FFD5348F14C92EE49627251E7348615CF8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040AC2D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 102 40ac2d-40ac93 103 40ac95 102->103 104 40acda-40acf1 LoadLibraryW 102->104 105 40aca0-40acd8 103->105 105->104 105->105
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: c8072abf9436d6931900079ef00e2eca0d16684543e004318d30ba68d294dd2e
      • Instruction ID: 2fa69c15dd9219805c7463336752f27c90f025b0b92b4c39e99e1ac98e322fff
      • Opcode Fuzzy Hash: c8072abf9436d6931900079ef00e2eca0d16684543e004318d30ba68d294dd2e
      • Instruction Fuzzy Hash: 1E11E37024D3409BD708DF00D4A176BBBE2EFE5319F148A1DE4A907385D7399646CB8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004092D0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 106 4092d0-409313 107 409315 106->107 108 40935a-409372 RtlAllocateHeap 106->108 109 409320-409358 107->109 109->108 109->109
      APIs
      • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00409367
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: e0f259762eaed200a146ab27dc6b8ac5192503c7ec06740db4d34a19b57fd103
      • Instruction ID: 9ced5105790a6ee91722c8355336f9ae21c388f8cb47fd985ccdccc265cdc7b5
      • Opcode Fuzzy Hash: e0f259762eaed200a146ab27dc6b8ac5192503c7ec06740db4d34a19b57fd103
      • Instruction Fuzzy Hash: 7A1135706083019FD708DF14D860B6FBBA2FBC5329F248A1DE8A907792D7359A15CBC6
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 00400520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176clipboardCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: Clipboard$CloseDataInfoOpenWindow
      • String ID: 7$8$9$:$;
      • API String ID: 2278096442-1017836374
      • Opcode ID: 5bf406dc6dbad0d9256e704a557511062d5750635e22566887f52aab74570600
      • Instruction ID: cfa99e09c1a72c0b2ee048269ddd3dc05cdc06ac7707b4f59dc3cc27a7ad7ad5
      • Opcode Fuzzy Hash: 5bf406dc6dbad0d9256e704a557511062d5750635e22566887f52aab74570600
      • Instruction Fuzzy Hash: EA71BFB0408740CFC321DF28C484726BBF1AF46314F148A6AE8969B792D379E416DF6B
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D17B0 Relevance: 18.0, Strings: 14, Instructions: 452COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: .$.$0$Ph5)A$Uhj'A$Uho'A$false$hY)A$null$true${$$t$<t$wt
      • API String ID: 0-3678731201
      • Opcode ID: 75f907b0a2603d6c434bd2a88b9d79a3b5a675d25f1d26de4be7856f7a877185
      • Instruction ID: 921775bc3f3290a6927fcd9b172a249957334d0d8aa42de324b070e4474ab8ad
      • Opcode Fuzzy Hash: 75f907b0a2603d6c434bd2a88b9d79a3b5a675d25f1d26de4be7856f7a877185
      • Instruction Fuzzy Hash: 66E138B2A00305AFE7229F25FD45727BBE4AF40304F15853EE8958B392E774D914CB96
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F2840 Relevance: 16.9, APIs: 2, Strings: 7, Instructions: 1114COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: $b$20?$B5?$onqp$r0?$rv$0?
      • API String ID: 0-376913036
      • Opcode ID: 7a08bff18d0ae8152cc4811bef8540a82a0dfb75f9542241d20181b40b8399ea
      • Instruction ID: 3801814e35ff837af33e71a2e8f8a5aeecdc34fdb2d8c9a1e4d7720e6b76e0d1
      • Opcode Fuzzy Hash: 7a08bff18d0ae8152cc4811bef8540a82a0dfb75f9542241d20181b40b8399ea
      • Instruction Fuzzy Hash: 8B829AB1604B00CFD725CF29D891B66B7E2FF85308F15896DD9AA8B791D774E901CB40
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401CAA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 219COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: Object$DeleteMetricsSelectSystem
      • String ID:
      • API String ID: 3911056724-3916222277
      • Opcode ID: 766a30974907e77b5bc167ffa97546b8a1bcc7a52d12f3e6d7fbdade6f8b1cd6
      • Instruction ID: 0c19ce299c92318377330eeae6888eed467193063594bf84a00ad97ed0e16190
      • Opcode Fuzzy Hash: 766a30974907e77b5bc167ffa97546b8a1bcc7a52d12f3e6d7fbdade6f8b1cd6
      • Instruction Fuzzy Hash: 54A15AB4614B008FC364DF28DA81A66BBF1FF89704F10896DE99AC7760D771B844CB92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D97F0 Relevance: 9.1, Strings: 7, Instructions: 344COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: H\UK$MTDC$^A$k^PW$k^PW$p,J^$(
      • API String ID: 0-2897112414
      • Opcode ID: 4cb1d2a139421ae9cb281e9413b061bf2fe9187673c0a3fa46b425bfb9b1e7e3
      • Instruction ID: 194d91e06430d943b614efe2c2c01b72390b9dbff62fe8d1b68ba01b1c4f4652
      • Opcode Fuzzy Hash: 4cb1d2a139421ae9cb281e9413b061bf2fe9187673c0a3fa46b425bfb9b1e7e3
      • Instruction Fuzzy Hash: 53C147B110C3918FD325CF14D4A479BBBE0BF92304F194A5EE4E59B392C779990ACB92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E6555 Relevance: 7.6, Strings: 6, Instructions: 92COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: &ldh$ql$uux$v|vs$~t~{$<z?
      • API String ID: 0-2189675787
      • Opcode ID: 12fb30c04e640750d88163aead64cc476cef8bab57739ce71d16b5a3c78c5a42
      • Instruction ID: f66a19d1ca7f078a80e569eb087f512f3389ac9effd81e744b74d065fe2b58ae
      • Opcode Fuzzy Hash: 12fb30c04e640750d88163aead64cc476cef8bab57739ce71d16b5a3c78c5a42
      • Instruction Fuzzy Hash: B0319AB05183808BD315CF15C892B2ABBE2BFE6364F199B1CF4A55B2E1D739C8018B46
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D4B30 Relevance: 6.7, Strings: 5, Instructions: 474COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: )$IDAT$IEND$IHDR$VUUU
      • API String ID: 0-2101632234
      • Opcode ID: f7acdb1bca0de22a45027413a8f13bd540039baf858e5fff523ca3d1e7c38668
      • Instruction ID: ca601ce84c68692008ab62ca7f9dcd48364110a992539d963eb3e6ce8224f87e
      • Opcode Fuzzy Hash: f7acdb1bca0de22a45027413a8f13bd540039baf858e5fff523ca3d1e7c38668
      • Instruction Fuzzy Hash: 3A0211B26083808FD705CF28E8907ABBBE1EF94304F05852EF9858B392D775D909CB91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E3038 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: I]J$L\]D$RWGQ$W^S
      • API String ID: 0-3197350908
      • Opcode ID: 187302d4f3ae02377a6d2353e240c82a8dc16cea9dfbebb960bdfaa7e0c584b7
      • Instruction ID: 0d83ec228e197f9d3f227b829922bc125049185023a9d8ba82ad109cbf99f837
      • Opcode Fuzzy Hash: 187302d4f3ae02377a6d2353e240c82a8dc16cea9dfbebb960bdfaa7e0c584b7
      • Instruction Fuzzy Hash: 157137B4215B918FE3268F3AC4987E3BBE1BF46304F198A5CC0EB4B392C335A5458B55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040F500 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 7452$R-,T$R-,T
      • API String ID: 0-4083704330
      • Opcode ID: 50e37ea88e9d45eef0fc06e7976a1bdd834cd015f19283eabfe2e17f29dea48b
      • Instruction ID: 59a216b563e3b7e262a0a8ec7100b680e18def1da29318053cd2f3d2a7bb6386
      • Opcode Fuzzy Hash: 50e37ea88e9d45eef0fc06e7976a1bdd834cd015f19283eabfe2e17f29dea48b
      • Instruction Fuzzy Hash: 93B1BB726043129BC724CF18C89076BB7E1FB88354F15893DE885AB391D338EC4ACB96
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F8AC0 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 0$onqp
      • API String ID: 0-3335788350
      • Opcode ID: 28ed6619bc48240ac1e6dc81301210e55ab49a8e50e142c0c953abf95916b897
      • Instruction ID: 4934371985ec2ad28d3905d3e123d924ac9101674d1b49a64033629ae1527979
      • Opcode Fuzzy Hash: 28ed6619bc48240ac1e6dc81301210e55ab49a8e50e142c0c953abf95916b897
      • Instruction Fuzzy Hash: C392F1702007468FD72ACF29C490772BBE2FF56304F19866DC5EA8BB96D739A805CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003FC85E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON
      Download Yara Rule
      APIs
      • SysStringLen.OLEAUT32 ref: 003FC868
        • Part of subcall function 004092D0: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00409367
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: AllocateHeapString
      • String ID: G
      • API String ID: 983180023-985283518
      • Opcode ID: 17099c46784f5b3297b78c7e8b2cd5ecc07c92cac959d0fb8deb663eaa470ec6
      • Instruction ID: ce1ad2ac99b3887c3c9fe83d7104cbdd3c4bdd51edc0cc293ccf322199c16a32
      • Opcode Fuzzy Hash: 17099c46784f5b3297b78c7e8b2cd5ecc07c92cac959d0fb8deb663eaa470ec6
      • Instruction Fuzzy Hash: D291B1716493898FC735CE2CC5957EBBBD2AB96320F084A2CD4E98B3D1D7359841CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D5720 Relevance: 3.3, Strings: 2, Instructions: 834COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 0$8
      • API String ID: 0-46163386
      • Opcode ID: 965003bcab6eef0ce89c56426a0d79b989bc7d992d2bef54091320ce55fc75ac
      • Instruction ID: 4705b516298b8d2dc2e62b58d4c1ff745ec49fade22351c70788c36322760821
      • Opcode Fuzzy Hash: 965003bcab6eef0ce89c56426a0d79b989bc7d992d2bef54091320ce55fc75ac
      • Instruction Fuzzy Hash: B67269726083409FD726CF18D880BAEBBE1BF98314F05891EF9998B391D375D944DB92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F5B50 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: "$"
      • API String ID: 0-3758156766
      • Opcode ID: c09ea1cc5fd59bfaf70c112123a5906b4a50997ff0155226c6e851a45779b739
      • Instruction ID: 0570577af8e0e752765e5cce4e6114a61180d306aba4949371213dd6c5d22b40
      • Opcode Fuzzy Hash: c09ea1cc5fd59bfaf70c112123a5906b4a50997ff0155226c6e851a45779b739
      • Instruction Fuzzy Hash: D70216716087099FC71ACE28C49577BBBE5ABC4310F19892EFA968B382D734DD04C782
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F112E Relevance: 2.9, Strings: 2, Instructions: 369COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: onqp$onqp
      • API String ID: 0-2464386876
      • Opcode ID: aa7a2f38ec91b985ea5867f53d5cedd3556185f6548472242563aae672c56fc7
      • Instruction ID: 3646c5ef32bd2b3854148c77cf81d5f932712cdafeb6b1d795ad3f7b2b65d4bc
      • Opcode Fuzzy Hash: aa7a2f38ec91b985ea5867f53d5cedd3556185f6548472242563aae672c56fc7
      • Instruction Fuzzy Hash: EDC1C9B5508304DFE7148F25D894B6BBBF1FB89308F18892DF5859B2A1D739D805CB86
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C571 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: onqp$onqp
      • API String ID: 0-2464386876
      • Opcode ID: 8ebc5abf192df527bd0643e1c6539049175dbde9fa10c7d75af60d8931d02b4f
      • Instruction ID: 76182da2c7a2587e7bc398606eb2133654b9833e6d697944da22e433d7099e98
      • Opcode Fuzzy Hash: 8ebc5abf192df527bd0643e1c6539049175dbde9fa10c7d75af60d8931d02b4f
      • Instruction Fuzzy Hash: E941A274601B408FE328CF15C4A4B27B7F2FB89314F549A2EC4A757A95C378F9458B89
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409E10 Relevance: 1.9, Strings: 1, Instructions: 642COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: onqp
      • API String ID: 0-1718216680
      • Opcode ID: ab774552533149f619908bef01f2872b3175ff300fa2375bcabc98d3dfde8858
      • Instruction ID: 4868a7b6111f86d82cc229584e1cd5d30e0e3d6d79ede06db5fade97dca39430
      • Opcode Fuzzy Hash: ab774552533149f619908bef01f2872b3175ff300fa2375bcabc98d3dfde8858
      • Instruction Fuzzy Hash: BE327B716083419FD714CF14C890B6FBBE2BBC5318F188A2EE4959B392D779D905CB8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F79F5 Relevance: 1.7, Strings: 1, Instructions: 469COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 2RPJ
      • API String ID: 0-955047986
      • Opcode ID: 72a67a18b956f5df403d47b5c1ef1c0df16082ad9a7fcff791d8a7d06ab5e454
      • Instruction ID: 25ebdfa7bfc06ccdc222f1f6af16fb6d21478f4e9d836538ba8cb7984db868e2
      • Opcode Fuzzy Hash: 72a67a18b956f5df403d47b5c1ef1c0df16082ad9a7fcff791d8a7d06ab5e454
      • Instruction Fuzzy Hash: B6E1B0701047468BD72ACF29C060762FBF2BF5A304F28869DD5DA8B792D735E846CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F18A0 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: InitializeThunk
      • String ID: onqp
      • API String ID: 2994545307-1718216680
      • Opcode ID: c654a46bdbf0921cdc64184c9ba6dc13954c025b638d74ce1349a6fe7a670371
      • Instruction ID: df9bfe33831c7873c87cbd684b9bcbec5e1b02950082ec878566bbc9c5a5ace6
      • Opcode Fuzzy Hash: c654a46bdbf0921cdc64184c9ba6dc13954c025b638d74ce1349a6fe7a670371
      • Instruction Fuzzy Hash: 4FC1D0B1A09305CFD715CF18D89073BB7E2EB94364F19892DE68597381E379D805CB86
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F213D Relevance: 1.6, Strings: 1, Instructions: 332COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: ?
      • API String ID: 0-3352534275
      • Opcode ID: 0520d974ee8ee18a27dc7fe8415ebe05fb18668d254c00ea046c51518e0561aa
      • Instruction ID: b70f28790ae17e884017cae25aa6c735265138dea2175889c1019ef9c61d449e
      • Opcode Fuzzy Hash: 0520d974ee8ee18a27dc7fe8415ebe05fb18668d254c00ea046c51518e0561aa
      • Instruction Fuzzy Hash: 57B1F6B0208742CFD726CF29C490663B7F2BF56304B198AADD5968BB52D735F80ACB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F6953 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: ::34
      • API String ID: 0-1123104282
      • Opcode ID: 5684ed1a232316854971bd8c782b939575f8a2abb35315b040336fd5f7ef31c9
      • Instruction ID: 1fa66ed91db4c317196feacbae9e0f379cd4e98834bc5fb68bd10c21261ecc9c
      • Opcode Fuzzy Hash: 5684ed1a232316854971bd8c782b939575f8a2abb35315b040336fd5f7ef31c9
      • Instruction Fuzzy Hash: A7A1E2702047818BD729CF3980A17B6FBE2EF56304F29866ED5EB8B792D7359809C714
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040F190 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 7452
      • API String ID: 0-87867774
      • Opcode ID: eed9a1413b1239386eae771f5e5843315ba5ef60c1c68f18d40fa856c6852a97
      • Instruction ID: d4c813d045fadd65c2013c9e042e04203758203d55f0b0f1d13502e24c4ef832
      • Opcode Fuzzy Hash: eed9a1413b1239386eae771f5e5843315ba5ef60c1c68f18d40fa856c6852a97
      • Instruction Fuzzy Hash: 58A1BF756043029BD728CF28C490B6BB7E1FF88354F15897DE8859BBA1D738D849CB86
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040EE70 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 7452
      • API String ID: 0-87867774
      • Opcode ID: 42a8a12c25c79477145b7b726292e8f0abdf71ba2c97e9b1b77a8007fc05452a
      • Instruction ID: 6c8f776d058d3ace00d390b611d95ade6d9f1f296fce947896b829ac00903b58
      • Opcode Fuzzy Hash: 42a8a12c25c79477145b7b726292e8f0abdf71ba2c97e9b1b77a8007fc05452a
      • Instruction Fuzzy Hash: DC91BA71A043129BD724CF14C890B6BB7E1FB88754F55893DE8856B391C338AD19CB9A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F2760 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: knke
      • API String ID: 0-888893071
      • Opcode ID: ff9c77a779d71d8c3327578f0a6b66affc5e52b812ab9a153c85a6e3067afd94
      • Instruction ID: 9956e4d14f9dd9225270901cd81d58988eff22988f474b91539ed2db5af2035b
      • Opcode Fuzzy Hash: ff9c77a779d71d8c3327578f0a6b66affc5e52b812ab9a153c85a6e3067afd94
      • Instruction Fuzzy Hash: 749122B5500B009FC720CF29C982A53BBF5EF49350F148A59E8AA8BB55D331E915CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D2D10 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: "
      • API String ID: 0-123907689
      • Opcode ID: 40fe89be50ea8bc6398bef2ccb7ebb6b82f68838cafdbfa995459706f5d31397
      • Instruction ID: 9be62861308bcfad45bd53a10466797672113fe2563d17995b6931be84446faf
      • Opcode Fuzzy Hash: 40fe89be50ea8bc6398bef2ccb7ebb6b82f68838cafdbfa995459706f5d31397
      • Instruction Fuzzy Hash: 98717F335082428FD7138B28DC443A7BBAAEFB6300F1A896BE4958B382D734D915D791
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409A20 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: onqp
      • API String ID: 0-1718216680
      • Opcode ID: 6e307be4afb4db3deade368ba82625cdb28a703fba074034296b63d4872fe086
      • Instruction ID: 9d0f3371f4b998d23e914cd9a8a4ad24548d7a0b6213062883a2f6c99b5a1cf7
      • Opcode Fuzzy Hash: 6e307be4afb4db3deade368ba82625cdb28a703fba074034296b63d4872fe086
      • Instruction Fuzzy Hash: F7518B716083419BE718CF04C4A472FBBE2BBC4318F28892DE4995B396D7799D45CB8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040EAF0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 7452
      • API String ID: 0-87867774
      • Opcode ID: 41afadeac40a032c25f8489fbbac0b4b42be77393cd085e05f111709acbfeac8
      • Instruction ID: 3c840a652752a6d5e3d012b1d792ebc58976f9b39f515653490a8055b4484b9f
      • Opcode Fuzzy Hash: 41afadeac40a032c25f8489fbbac0b4b42be77393cd085e05f111709acbfeac8
      • Instruction Fuzzy Hash: C95177B56083019BE704CF15C990B6BBBE2FBC4344F148D2DE4996B390C3B9E955CB8A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F26BD Relevance: 1.4, Strings: 1, Instructions: 160COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: knke
      • API String ID: 0-888893071
      • Opcode ID: bc53a105cebc15157f645683b05e552db8d610911ea366741d255ea86eef0133
      • Instruction ID: 8733fa3714edad7aaab3a82fd89d13bd7fcf5697afab3fb72675826d2bfb719a
      • Opcode Fuzzy Hash: bc53a105cebc15157f645683b05e552db8d610911ea366741d255ea86eef0133
      • Instruction Fuzzy Hash: 0D6132B5204B00CFC725CF19D980A52BBF2FF89354B158999D89A4BB2AC335F919CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E1E13 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: ^t_
      • API String ID: 0-4261081691
      • Opcode ID: abc6fa6c940e35956016b17059ac2285edce1bb6ec5194f9d77c5c50bcb2aaed
      • Instruction ID: e474bb87c92d9131fd5d2bd65d1d45080fb283d529ce7877e348878ffab9aa0d
      • Opcode Fuzzy Hash: abc6fa6c940e35956016b17059ac2285edce1bb6ec5194f9d77c5c50bcb2aaed
      • Instruction Fuzzy Hash: 49315E755146518BC726CF25C880B66B3E6FFC9310F298A6DE85A8B791E770E8418B44
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F8A13 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 0
      • API String ID: 0-4108050209
      • Opcode ID: 1a9e6ba964fbaf7f0e0d218640a422fde8332600ee7678b6848932d4c050434c
      • Instruction ID: dc54d375cc7a3ff61d6818937318d46945b0cc7918838b5938df3ea279eacd6d
      • Opcode Fuzzy Hash: 1a9e6ba964fbaf7f0e0d218640a422fde8332600ee7678b6848932d4c050434c
      • Instruction Fuzzy Hash: A1318B202096568AD72D8F29C091132F7F2EF84310B59C26ADAD68F7E9DB788842D325
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003EDDC7 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: \Q
      • API String ID: 0-1270571461
      • Opcode ID: edbd9f668cb80e8af32eded43258ac07e1d1a6e39b246d59f4f70180b3b74d96
      • Instruction ID: 149ed19eeaa923af2b35bf7d8edddcda699f8079eb71f266b37287b6cf4d7fcb
      • Opcode Fuzzy Hash: edbd9f668cb80e8af32eded43258ac07e1d1a6e39b246d59f4f70180b3b74d96
      • Instruction Fuzzy Hash: 033122B160C3C08BD3298F29D46535FFBE1BB96708F144A2DE0D99B391C73888468F46
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F4982 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: onqp
      • API String ID: 0-1718216680
      • Opcode ID: be7bec73a1eb659c51da659a24398129e1e9a498d29faa8e0c268a38bf3b98c2
      • Instruction ID: f9489fa35cac33b601076d2dc4c12d9c3a34680a97d98ae77fcab4ba130cd4d3
      • Opcode Fuzzy Hash: be7bec73a1eb659c51da659a24398129e1e9a498d29faa8e0c268a38bf3b98c2
      • Instruction Fuzzy Hash: 5D216874644B048BDB25CF05C590B27BBF2FB49708F14892DC1E387B61C3B9E8068B88
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003EDF3A Relevance: 1.3, Strings: 1, Instructions: 79COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: \Q
      • API String ID: 0-1270571461
      • Opcode ID: 85433d6f2856ddb21ce1bd31a8833ba311ebe6516f2ab84ef9726984fb18f8f2
      • Instruction ID: 32dc2e323ff580644de5b1d9e0924e812960d463cb1dd36d338e356c88dad01d
      • Opcode Fuzzy Hash: 85433d6f2856ddb21ce1bd31a8833ba311ebe6516f2ab84ef9726984fb18f8f2
      • Instruction Fuzzy Hash: 70310FB060C3D08BD3298F26D46135FFBE1BB86708F144A2DE0D99B392C77989458F46
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D4E8 Relevance: 1.3, Strings: 1, Instructions: 10COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID: 'F
      • API String ID: 0-2706096732
      • Opcode ID: 33f7d422d0198afc128290c90a925468dabb6beb35fb240dc5edb40efdd3545f
      • Instruction ID: fc90a51b50e09a6b285d208f35b9e45288485e60851bd7a5c8d091e45d260bac
      • Opcode Fuzzy Hash: 33f7d422d0198afc128290c90a925468dabb6beb35fb240dc5edb40efdd3545f
      • Instruction Fuzzy Hash: 6DB0922694C000CB8108CF41EC50AB0B236E78B228E1A701C8402232A2C220A4339A4C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D80A0 Relevance: .8, Instructions: 824COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 704b87d1b9c676f88e1c07b0446b889827816cb16b5e5fb0875026c9d654919f
      • Instruction ID: 9d8eae64cc10b8f93142efbb9d681f65ba29980d2973e634ef838fc68ec60329
      • Opcode Fuzzy Hash: 704b87d1b9c676f88e1c07b0446b889827816cb16b5e5fb0875026c9d654919f
      • Instruction Fuzzy Hash: B152B3725083118BC726DF18F8806BAB3E1FFD4314F2A892ED98697385DB34B955CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F7059 Relevance: .7, Instructions: 742COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 79d5f9f8caf7b54000f15f1f067a3f7c34de4f2f272fdb02c6e44958f5c9b20c
      • Instruction ID: 5e008c5cfef2574e60b03262fbc453f82986e64a9346ecd845325a5997a93e09
      • Opcode Fuzzy Hash: 79d5f9f8caf7b54000f15f1f067a3f7c34de4f2f272fdb02c6e44958f5c9b20c
      • Instruction Fuzzy Hash: B4328E701087868FE726CF28C490B62FBF1BF16304F18459DD5DA8B792D375A84ACBA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F6948 Relevance: .7, Instructions: 676COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b4b7d1f930dbf05ac83d0cfc620925e5fcf094d55eeb4619c4231a3b23b28cac
      • Instruction ID: f5dbe1c65df4d85c331c8569eb37f3d726b6cfff52004d92986df5e061f71a93
      • Opcode Fuzzy Hash: b4b7d1f930dbf05ac83d0cfc620925e5fcf094d55eeb4619c4231a3b23b28cac
      • Instruction Fuzzy Hash: 60327E701087868FE726CF29C490B62FBF1BF5A304F18469DD5DA8B792D375A846CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D4160 Relevance: .6, Instructions: 609COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2b6a4ff4a3088b67c8c8971fb9780cfcd51fc72835d0b00b2b1dd8be051df065
      • Instruction ID: 6c57f23a0935a1c3d4dec3548ba5fbc4a91aabbed88baa2556b26931048939cd
      • Opcode Fuzzy Hash: 2b6a4ff4a3088b67c8c8971fb9780cfcd51fc72835d0b00b2b1dd8be051df065
      • Instruction Fuzzy Hash: 4E425676514B518FC36ACF28E58066ABBF1BF95300B618A2ED5978BF90D335F845CB10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003ED35E Relevance: .6, Instructions: 577COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1cc433d73ee7863bf3baf712e3ab323f9bdb6f120ad35d14f19bbe250fce6af6
      • Instruction ID: 2f9733062519ca895d9360fa6cc69b4ed257f742150b17d6ebfaa98545e9738f
      • Opcode Fuzzy Hash: 1cc433d73ee7863bf3baf712e3ab323f9bdb6f120ad35d14f19bbe250fce6af6
      • Instruction Fuzzy Hash: 3612AC71618351CFD308CF19D89076AB7E2FB89354F0ACA7CE4869B2A1D739E941CB85
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D6480 Relevance: .5, Instructions: 512COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b858fd94bb424a67cd363859b026443fb71f6952dce7be5e384bed1165026df1
      • Instruction ID: 897339005dd07ee181e35e5d1a6f92bb362e27ee9e299124783a08c0dc14e7f3
      • Opcode Fuzzy Hash: b858fd94bb424a67cd363859b026443fb71f6952dce7be5e384bed1165026df1
      • Instruction Fuzzy Hash: 6802C4366083408FCB15CF19C89176BBBE2AFD9304F09886EE899CB356D735D905CB96
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F8410 Relevance: .4, Instructions: 387COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 845d68774042441be9208f89fcf25374b3e31390619627d18ed0bcc6fa9ec825
      • Instruction ID: ba6f0e5628f42a2ece2b37d36d5b5e2054b0a6aed31defc0867a03f3a26e7ee0
      • Opcode Fuzzy Hash: 845d68774042441be9208f89fcf25374b3e31390619627d18ed0bcc6fa9ec825
      • Instruction Fuzzy Hash: 5CC191701047458BD72ACF29C0A0762FBF1BF5A304F28869DD5DA8B796DB35E806CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E7ABA Relevance: .3, Instructions: 337COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 77d53b8d1e1bda448932f5d9f8e938e328d096d5a508a205a3e8d4a9ab3b9ffe
      • Instruction ID: b560227409f40d5dd1d26268b0435d7244a9e63d4defcebf13cb97962a4c2d62
      • Opcode Fuzzy Hash: 77d53b8d1e1bda448932f5d9f8e938e328d096d5a508a205a3e8d4a9ab3b9ffe
      • Instruction Fuzzy Hash: 91B18AB16047518BD725CF25C891763B7B2FF89314F198698D89A8F7D6E734E801CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F4478 Relevance: .3, Instructions: 334COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0be96aac433814c4d7c79e216d3a5a1e8ac74cb4cc2ee84e96072177ed0bde3d
      • Instruction ID: 979d1ae829eb5fb640d567af1d356a73ed8e595f07734eb120dc0c87bd25d38b
      • Opcode Fuzzy Hash: 0be96aac433814c4d7c79e216d3a5a1e8ac74cb4cc2ee84e96072177ed0bde3d
      • Instruction Fuzzy Hash: 70B146742007048FD7298F28C8A1B63B7B2FF56314F19899CD9968F7A6E775E805CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E1419 Relevance: .2, Instructions: 231COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 48c4aa9e606e5c483fad073583738871c267846bd9e0f35d59a00d3f4e5931f3
      • Instruction ID: 73b5d0846e3fbeb31e0ed48ecb933f1f0729b0c2543c62a005f90f2d424fd016
      • Opcode Fuzzy Hash: 48c4aa9e606e5c483fad073583738871c267846bd9e0f35d59a00d3f4e5931f3
      • Instruction Fuzzy Hash: 11817AB0600B518FD32ACF26C490B63B7E5BF95314F148A2DD4AA87792E774F845CB80
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003EDB00 Relevance: .2, Instructions: 216COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ef8109db08be919303f0ed2477fe37574a899c65098444156da50ea7fc117bfa
      • Instruction ID: 41da6e554dfaa5bf9ce06030f9ed7aafdd2846646fbc56e78dc41379214cf06e
      • Opcode Fuzzy Hash: ef8109db08be919303f0ed2477fe37574a899c65098444156da50ea7fc117bfa
      • Instruction Fuzzy Hash: B861ADB1A08352DFD304CF14D890B6AB7E5FF89305F068A6CE88697390D734E901CB5A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407090 Relevance: .2, Instructions: 179COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6fbc5abad996672f1a45e4ee74135ca59843cb83727992447485a450cc8c3834
      • Instruction ID: abe174ee552617fe58486690c79997535b8caf323b5165d59bbab6ecfab505c4
      • Opcode Fuzzy Hash: 6fbc5abad996672f1a45e4ee74135ca59843cb83727992447485a450cc8c3834
      • Instruction Fuzzy Hash: 9B519CB19087458FE714DF29D89075BBBE1AB84308F00893EE5E587391D379EA09CF82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E5470 Relevance: .1, Instructions: 146COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aeb516a135a5b5a586476be058a5336ea1e1d8335a9aa118a0f34d093c90878c
      • Instruction ID: 7f998df00d0743e5b1a7ae5afa7389e732bd8ae45c1916c936cbe849283b43d7
      • Opcode Fuzzy Hash: aeb516a135a5b5a586476be058a5336ea1e1d8335a9aa118a0f34d093c90878c
      • Instruction Fuzzy Hash: 974149719087A48BD7229F56C880766B7E9EF6231CF0A4768E88A4B2C1E771DC04C751
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E4D32 Relevance: .1, Instructions: 136COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f766da87013e5695ea8458c0fbbccf4e014b429880c38a76b4a9c07177d015a8
      • Instruction ID: 3040b234ba84c9edc717b5a21de01129ee6d35c1ef130a2eddc8215f4fb0e1d8
      • Opcode Fuzzy Hash: f766da87013e5695ea8458c0fbbccf4e014b429880c38a76b4a9c07177d015a8
      • Instruction Fuzzy Hash: 7D414175204B408FD729CF26D4A0BB7B7A3FB89308F595A1DD49B07B96D735B8018B48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E0390 Relevance: .1, Instructions: 129COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 255f44f35b572620fe4b5db5f3a87350090ac598147bee90e0959033fdd775ff
      • Instruction ID: e9a90ce2d0b9c3ab6ffa69725ce4255c16d030de37b0d074ffb2abafd052ac02
      • Opcode Fuzzy Hash: 255f44f35b572620fe4b5db5f3a87350090ac598147bee90e0959033fdd775ff
      • Instruction Fuzzy Hash: E44118762182A04FE30D8B2AC9A037ABBD2DFC5350F05866DF1E9473D1D6788882EB11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D3360 Relevance: .1, Instructions: 101COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a4751b8ce15eda8162a99c2c49cc659687e0cf73ea2742ffc41ab201742a53db
      • Instruction ID: 6b3b5ba1bff6c9af65ade5123469ea4c1ae89208078cd11dcdf8c2bf8518abee
      • Opcode Fuzzy Hash: a4751b8ce15eda8162a99c2c49cc659687e0cf73ea2742ffc41ab201742a53db
      • Instruction Fuzzy Hash: B3216B77B241B10BD311CE7AACE0177B7A2DFC6311B1E8276E6C09B753C565DC068211
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003D2650 Relevance: .1, Instructions: 95COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 83e3aac15911f0d8e5589f7438a305861bf21873d88b8212a6ac50414d6d3ecc
      • Instruction ID: 2a65429e166838073e9c93e813d24b4d017613a4c901b8f0843462171aaab102
      • Opcode Fuzzy Hash: 83e3aac15911f0d8e5589f7438a305861bf21873d88b8212a6ac50414d6d3ecc
      • Instruction Fuzzy Hash: 0C31C8726043009BD7169F18E880927B7E1EFE4318F19896EF8999B391D771DC52CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003DFE47 Relevance: .1, Instructions: 70COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c68de23d5e8141ac6a51d6618031bb30b64d765285fb72d2b75af455fac4cdd7
      • Instruction ID: a9d9c3ef351b37a1e0aaf8196c58aaaa4a72dbc452032f2e0e60e78a2a134a08
      • Opcode Fuzzy Hash: c68de23d5e8141ac6a51d6618031bb30b64d765285fb72d2b75af455fac4cdd7
      • Instruction Fuzzy Hash: 41212A76608350AFD314CF24C89479BF7E2BBC8714F49892DF899A7251D770E904CB86
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004050A0 Relevance: .1, Instructions: 64COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
      • Instruction ID: f15ecba55bcf7d066590556f9df659c80fc35f28dd68c0608a238a873f040645
      • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
      • Instruction Fuzzy Hash: D6112C33A055D00EC3118D3C841066A7FA34A93334B5983AAF4B4AB2D2D5378D8A8759
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003F58B0 Relevance: .1, Instructions: 63COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5cb141b7bc7d04a841ebe8ff6786b39e491cb9f895e0f76c18e5c03a504ce8a5
      • Instruction ID: 09529e37ba749f0fba9df56059cb1fe58b6c367d8518c6421a1b0779342dc1b0
      • Opcode Fuzzy Hash: 5cb141b7bc7d04a841ebe8ff6786b39e491cb9f895e0f76c18e5c03a504ce8a5
      • Instruction Fuzzy Hash: D501D4F2B00B0597EB229F54A4C073BB6A86F94754F09443DEB094B302DBB5FC04C2A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040A930 Relevance: .1, Instructions: 61COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8430b6161187a564c0d5085e64ce825a3cbf6e8f3cfc9cf7ce2cfb46af2b5e7f
      • Instruction ID: 13e9c4588d6cd7bb9d82a2a8a87695be20b2a693f9aead71bcb6507d8c2803e8
      • Opcode Fuzzy Hash: 8430b6161187a564c0d5085e64ce825a3cbf6e8f3cfc9cf7ce2cfb46af2b5e7f
      • Instruction Fuzzy Hash: F221A1B16193019FD708CF25D85175FBBE1ABC5314F588E2CE4A497381D338D9168B87
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DFE0 Relevance: .0, Instructions: 50COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ee4b155c915e11dc12f0216b57c55098f890df1d55a025ca6babf99b32d57a7b
      • Instruction ID: dac15fee85bbcf2622569cfdc993df4515ae5ed907889ae18d0700269ee61db1
      • Opcode Fuzzy Hash: ee4b155c915e11dc12f0216b57c55098f890df1d55a025ca6babf99b32d57a7b
      • Instruction Fuzzy Hash: 330116C48085F006D226036341747B7BEE9085A3057CECCDEE4EA3B793D25E9D189F95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D265 Relevance: .0, Instructions: 31COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7248a2b152da1b0ed36fe9dae950bcd2716a003cf3b6d2107b01048bca145a89
      • Instruction ID: eb9207ba940d088107bab495834a22c308c72b1b0ed90dadedb65ce0aee09a4c
      • Opcode Fuzzy Hash: 7248a2b152da1b0ed36fe9dae950bcd2716a003cf3b6d2107b01048bca145a89
      • Instruction Fuzzy Hash: 25F0307AA041108BCB5CCF06D851676B3A2EB95301B4CE43EE88AE3290D638DC448A49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003DD650 Relevance: .0, Instructions: 21COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
      • Instruction ID: 372e4d8bcff92e2ba05011bfef722e9efdcd9bd872d1eb78bd5eed419161e557
      • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
      • Instruction Fuzzy Hash: 82D097625483A40E47098D3810A0937FBE8E943612F0820DFE0C5E3204C224DC0142D8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00400169 Relevance: .0, Instructions: 20COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cb9c2b57653967b2a9482af6de367357f0b9d6b26149baddc930321fb9230c3b
      • Instruction ID: f9a3a1549f340f29bf387e0a64b8088c38ac4d13152caefb7b01d85633f799e3
      • Opcode Fuzzy Hash: cb9c2b57653967b2a9482af6de367357f0b9d6b26149baddc930321fb9230c3b
      • Instruction Fuzzy Hash: E2F015B4504301CFC310DF28C594B9ABBE4FB48344F00881DE99A8B354CBB4AA40CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D48A Relevance: .0, Instructions: 14COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2e68b7d737d2330829aea66fdda681be2b806083c92d0da6d4d804088da11085
      • Instruction ID: 8c13ce7b6893bed2b5147caf081ba2bd7380a022ed002aa0acdbfbcada7eb741
      • Opcode Fuzzy Hash: 2e68b7d737d2330829aea66fdda681be2b806083c92d0da6d4d804088da11085
      • Instruction Fuzzy Hash: 4AD0C938614104CBC208CE24D8809B6B376EB8E308B10E168D84693716C370E8038A48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E09F Relevance: .0, Instructions: 13COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1ccd48b0bfe3101ad7d84d29a6eff5e73f219f0ae3ee9b98b1cba17f56cf58dd
      • Instruction ID: c1ba9b296841c6327808f164c5f2e80f5b2e60bdc0ccf1f709798814a65fe02b
      • Opcode Fuzzy Hash: 1ccd48b0bfe3101ad7d84d29a6eff5e73f219f0ae3ee9b98b1cba17f56cf58dd
      • Instruction Fuzzy Hash: 6ED0C9745480048FC30DCF04D890971B7B6EF96204B14E02C948A17712C230D416CA0C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C436 Relevance: .0, Instructions: 11COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ffde975f413571506908ef161509d37cb2a702cb582d1ee97208c00ffaae9de5
      • Instruction ID: 674a36bd494f5ac5f6d03f8eb63e0c78d821f01dc2a05673b762722e1f2558f4
      • Opcode Fuzzy Hash: ffde975f413571506908ef161509d37cb2a702cb582d1ee97208c00ffaae9de5
      • Instruction Fuzzy Hash: 62C04C74A4910097864CCF04D950475B377BB8F255728E019C0561335AD2309422854D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DE9C Relevance: .0, Instructions: 11COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9ede684d84347da4f268af03338800156bc1a0148d483310f7c8aeadb11ffe28
      • Instruction ID: eda688e6fb30b3038e154a868afa547c1d0316d582196d86edcf2900726dedd1
      • Opcode Fuzzy Hash: 9ede684d84347da4f268af03338800156bc1a0148d483310f7c8aeadb11ffe28
      • Instruction Fuzzy Hash: 15C00270A0C340DBD345CE41C14466BF3F5BB96328F10E92DE18A2B282C239ED059F4B
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DEB1 Relevance: .0, Instructions: 9COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1cec6a26253af59a2a21650884efd02807bc3a63d8d62a4a557ed1da8606d673
      • Instruction ID: 90fbbc14ed3223ce1bd5e9c154577ff5acd3f19452f7cfd981e12edfdcbbd74e
      • Opcode Fuzzy Hash: 1cec6a26253af59a2a21650884efd02807bc3a63d8d62a4a557ed1da8606d673
      • Instruction Fuzzy Hash: 15B00934B4C1009BC709DE18D29187AF3F9AB9F701F21A959A48AA7255C630EC01AA4A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003EE0C0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 003EE1AD
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 003EE1D8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: iWk$1mo$3]!_$=Y,[$je$~H
      • API String ID: 237503144-1999540153
      • Opcode ID: ac9ac57906b0f111ada5a34f39f6cb64f55bafca8cfcaad4ec72d2f6f1709185
      • Instruction ID: f494ae754d25ac1b6ae4c664d1c3b011b75412bd74a69dbbfdcd0da9fe8c6955
      • Opcode Fuzzy Hash: ac9ac57906b0f111ada5a34f39f6cb64f55bafca8cfcaad4ec72d2f6f1709185
      • Instruction Fuzzy Hash: 5361AA712083918FE325CF15C891BABB7E5EFC9718F014E2CE8D55B281D3B49906CB96
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00400F58 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: Object$DeleteMetricsSelectSystem
      • String ID:
      • API String ID: 3911056724-3916222277
      • Opcode ID: 85aa26dec6b716e7f5e051cc2452205e91fb333f44bb850ed1ed2e39a301eb2a
      • Instruction ID: 02f8afabbbd42d3b1f57078792b042d8196cfc3cf9aab1c90c8519039657d170
      • Opcode Fuzzy Hash: 85aa26dec6b716e7f5e051cc2452205e91fb333f44bb850ed1ed2e39a301eb2a
      • Instruction Fuzzy Hash: 4E919AB4A04B009FD764EF29DA85A56BBF0FF49300F10892DE99ACB760D731A855CB52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003EEAD0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 156COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 003EEC1D
      • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 003EEC4C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: )qs$JW$TF$aZ$ru
      • API String ID: 237503144-2698335981
      • Opcode ID: 1e2f0836164a1954c572ac28492590d766b1173bf57b0be20633229d2c852782
      • Instruction ID: bac80bc8efbebee5e968a8d0c60d04d055bfa6928dd760a68e2dfb117121ee1b
      • Opcode Fuzzy Hash: 1e2f0836164a1954c572ac28492590d766b1173bf57b0be20633229d2c852782
      • Instruction Fuzzy Hash: 2E5151B2208342AFD314CF05C894B5FBBE5EB85354F208A2CF8A55B391D735D94ACB92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407303 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000D,?,00000008,?), ref: 004073DE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: HbA
      • API String ID: 237503144-3621289289
      • Opcode ID: 184d1a2ecd41257bc7060d083027ed3e7cee59120897cd8d898177fd939d4c0b
      • Instruction ID: 9238940f8bed8759cea6afa3a5025c751e23834775846b05d27baae67fe685d9
      • Opcode Fuzzy Hash: 184d1a2ecd41257bc7060d083027ed3e7cee59120897cd8d898177fd939d4c0b
      • Instruction Fuzzy Hash: 7A515CB59047019FD328CF29C445B16BBF1FB49314F158A6DE8AA8B781D334E886CBD5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 003E5BC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
      Download Yara Rule
      APIs
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 003E5BFD
      • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 003E5C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2882410125.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
      • Associated: 00000000.00000002.2882389259.00000000003D0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882461527.0000000000413000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882477032.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2882491747.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_3d0000_payload.jbxd
      Similarity
      • API ID: EnvironmentExpandStrings
      • String ID: 4U+W
      • API String ID: 237503144-3070584207
      • Opcode ID: 762ab867f50fe9919b9015117bf3589b62c6f70eccf01090a780b248d143e10c
      • Instruction ID: c0f20e3c50e4046683a7961d4cf9a6384cda114d8335c4cee7be59c374312445
      • Opcode Fuzzy Hash: 762ab867f50fe9919b9015117bf3589b62c6f70eccf01090a780b248d143e10c
      • Instruction Fuzzy Hash: B851E1706083919BD724CF15C891BABB7B5FF85358F048A1CF89A9B3C1D774A805CB92
      Uniqueness

      Uniqueness Score: -1.00%